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(54) Tamper resistant microprocessor 



(57) Under a multi-task environment, a tamper re- 
sistant microprocessor saves a context information for 
one program whose execution is to be interrupted, 
where the context information contains information indi- 
cating an execution state of that one program and the 
execution code encryption key of that one program. An 



execution of that one program can be restarted by re- 
covering the execution state of that one program from 
the saved context information. The context information 
can be encrypted by using the public key of the micro- 
processor, and then decrypted by using the secret key 
of the microprocessor. 
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Description 

BACKGROUND OF THE INVENTION 
FIELD OF THE INVENTION 

[0001] The present invention relates to a microproc- 
essor that can prevent illegal alternation of execution 
codes and processing target data under a multi-task 
program execution environment. 

DESCRIPTION OF THE BACKGROUND ART 

[0002] In recent years, the performance of a micro- 
processor has improved considerably such that the mi- 
croprocessor is capable of realizing reproduction and 
editing of video images and audio sounds, in addition to 
the conventional functions such as computations and 
graphics. By implementing such a microprocessor in a 
system designed for end-user (which will be referred to 
as PC hereafter), the users can enjoy various video im- 
ages and audio sounds on monitors. Also, by combing 
the function for reproducing video images and audio 
sounds with the computational power of the PC, the ap- 
plicability to games or the like can be improved. Such a 
microprocessor is not designed for any specific hard- 
ware and can be implemented in a variety of hardwares 
so that there is an advantage that the users who already 
possess PCs can enjoy reproduction and editing of vid- 
eo images and audio sounds inexpensively by simply 
changing a microprocessor for executing programs. 
[0003] In the case of handling video images and audio 
sounds on PCs, there arises a problem of a protection 
of the copyright of original images or music. In the MD 
or digital video playback devices, unlimited copies can 
be prevented by implementing a mechanism for pre- 
venting the illegal copying in these devices in advance. 
It is rather rare to attempt the illegal copying by disas- 
sembling and altering these devices, and even if such 
devices are made, there is a worldwide trend for prohib- 
iting the manufacturing and sales of devices altered for 
the purpose of illegal copying by laws. Consequently, 
damages due to the hardware based illegal copying are 
not very serious. 

[0004] However, image data and music data are ac- 
tually processed on the PC by the software rather than 
the hardware, and the end-user can freely alter the soft- 
ware on the PC. Namely, if the user has some level of 
knowledge, it is quite feasible to carry out the illegal cop- 
ying by analyzing programs and rewriting the executa- 
ble software. In addition, there is a problem that the soft- 
ware for illegal copying so produced can be spread very 
quickly through media such as networks, unlike the 
hardware. 

[0005] In order to resolve these problems, conven- 
tionally a PC software to be used for reproducing copy- 
right protected contents such as commercial films or 
music has employed a technique for preventing analysis 



and alternation by encrypting the software. This tech- 
nique is known as a tamper resistant software (see Dav- 
id Aucsmith et ah, Tamper Resistant Software: An Im- 
plementation", Proceedings of the 1996 Intel Software 
s Developer's Conference). 

[0006] The tamper resistant software technique is al- 
so effective in preventing illegal copying of valuable in- 
formation including not only video and audio data but 
also text and know-how that is to be provided to a user 
through the PC, and protecting know-how contained in 
the PC software itself from analysis. 
[0007] However, the tamper resistant software tech- 
nique is a technique which makes analysis using tools 
such as de-assembler or debugger difficult by encrypt- 
ing a portion of the program that requires protection be- 
fore the execution of the program starts, decrypting that 
portion immediately before executing that portion and 
encrypting that portion again immediately after the exe- 
cution of that portion is completed. Consequently, as 
along as the program is executable by a processor, it is 
always possible to analyze the program by carrying out 
the analysis step by step starting from the start of the 
program. 

[0008] This fact has been an obstacle for a copyright 
owner to provide copyright protected contents to a sys- 
tem for reproducing video and audio data using the PC. 
[0009] The other tamper resistant software applica- 
tions are also vulnerable in this regard, and this fact has 
been an obstacle to a sophisticated information server 
through the PC and an application of a program contain- 
ing know-how of an enterprise or individual to the PC. 
[0010] These are problems that equally apply to the 
software protection in general, but in addition, the PC is 
an open platform so that there is also a problem of an 
attack by altering the operating system (OS) which is in- 
tended to be a basis of the system's software configu- 
ration. Namely, askilled and malicious user can alterthe 
OS of his own PC to invalidate or analyze the copyright 
protection mechanisms incorporated in application pro- 
grams by utilizing privileges given to the OS. 
[0011] The current OS realizes the management of 
resources under the control of the computer and the ar- 
bitration of their uses by utilizing a privileged operation 
function with respect to a memory and an execution con- 
trol function provided in CPU. Targets of the manage- 
ment include the conventional targets such as devices, 
CPU and memory resources, as well as QoS (Quality of 
Service) at network or application level. Nevertheless, 
the basics of the resource management are still alloca- 
tions of resources necessary for the execution of a pro- 
gram. Namely, an allocation of a CPU time to the exe- 
cution of that program and an allocation of a memory 
space necessary for the execution are the besics of the 
resource management. The control of the other devices, 
network and application QoS is realized by controlling 
the execution of a program that makes accesses to 
these resources (by allocating a CPU time and a mem- 
ory space). 
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[0012] The OS has privileges for carrying out the CPU 
time allocation and the memory space allocation. Name- 
ly, the OS has a privilege for interrupting and restarting 
an application program at arbitrary timing and a privilege 
to move a content of a memory space allocated to an 5 
application program to a memory of a different hierar- 
chical level at arbitrary timing, in order to carry out the 
CPU time allocation. The latter privilege is also used for 
the purpose of providing a flat memory space to the ap- 
plication by concealing (normally) hierarchical memory 
systems with different access speeds and capacities 
from the application. 

[0013] Using these two privileges, the OS can inter- 
rupt an execution state of the application and take a 
snap shot of it at arbitrary timing, and restart it after mak- 
ing a copy of it or rewriting it. This function can also be 
used as a tool for analyzing secrets hidden in the appli- 
cation. 

[0014] In order to prevent an analysis of the applica- 
tion on a computer, there are several known techniques 
for encrypting programs or data (Hampson, U.S. Patent 
No. 4,847,902; Hartman, U.S. Patent No. 5,224,166; 
Davis, U.S. Patent No. 5,806,706; Takahashi et al., U. 
S. Patent No. 5,825,878; Buer et al., U.S. Patent No. 
6,003,117; Japanese Patent Application Laid Open No. 
1 1 -282667 (1 999), for example). However, these known 
techniques do not account for the protection of the pro- 
gram operation and the data secrecy from the above de- 
scribed privileged operations of the OS. 
[0015] The conventional technique based on the x86 
architecture of Intel Corporation (Hartman, U.S. Patent 
No. 5,224,166) is a technique for storing the execution 
codes and data by encrypting them by using a pre- 
scribed encryption key Kx. The encryption key Kx is giv- 
en in a form of E Kr [Kx) which is encrypted by using a 
public key Kp corresponding to a secret key Ks embed- 
ded in a processor. Consequently, only the processor 
that knows Ks can decrypt the encrypted execution 
codes on a memory. The encryption key Kx is stored in 
a register inside the processor called a segment regis- 
ter. 

[0016] Using this mechanism, it is possible to protect 
the secrecy of the program codes from the user to some 
extent by encrypting the codes. Also, it becomes cryp- 
tographically difficult for a person who does not know 
the encryption key Kx of the codes to alter the codes 
according to his intention or newly produce codes that 
are executable when decrypted by using the encryption 
key Kx. 

[0017] However, the system employing this technique 
has a drawback in that the analysis of the program be- 
comes possible by utilizing a privilege of the OS called 
a context switching, without decrypting the encrypted 
execution codes. 

[0018] More specifically, when the execution of the 
program is stopped by the interruption or when the pro- 
gram voluntarily calls up a software interruption com- 
mand due to the system call up, the OS carries out the 



context switching for the purpose of the execution of the 
other program. The context switching is an operation to 
store an execution state (which will be referred to as a 
context information hereafter) of the program indicating 
a set of register values at that point into a memory, and 
restoring the context information of another program 
stored in the memory in advance into the registers. 
[0019] Fig. 1 5 shows the conventional context storing 
format used in the x86 processor. All the contents of the 
registers used by the application are contained here. 
The context information of the interrupted program is re- 
stored into the registers when the program is restarted. 
The context switching is an indispensable function in or- 
der to operate a plurality of programs in parallel. In the 
conventional technique, the OS can read the register 
values at a time of the context switching, so that it is 
possible to guess most of the operations made by the 
programs if not all, according to how the execution state 
of that program has changed. 

[0020] In addition, by controlling a timing at which the 
exception occurs by setting of a timer or the like, it is 
possible to carry out this processing at arbitrary execu- 
tion point of the program. Apart from the interruption of 
the execution and the analysis, it is also possible to re- 
write the register information by malicious intention. The 
rewriting of the registers can not only change the oper- 
ation of the program but also make the program analysis 
easier The OS can store arbitrary state of the applica- 
tion so that it is possible to analyze the operation of the 
program by rewriting the register values and operating 
the program repeatedly. In addition to the above de- 
scribed functions, the processor has a debugging sup- 
port function such as a stepwise execution, and there 
has been a problem that the OS can analyze the appli- 
cation by utilizing all these functions. 
[0021] As far as data are concerned, U.S. Patent No. 
5,224,166 asserts that the program can access the en- 
crypted data only by the program execution using the 
encrypted code segment. Here, there is a problem that 
the encrypted data can be freely read by the encrypted 
program by using arbitrary key, regardless of the en- 
cryption key by which the program is encrypted, even 
when there are programs encrypted by using mutually 
different encryption keys. This conventional technique 
does not account for the case where the OS and the 
application have their own secrets independently and 
the secret of the application is to be protected from the 
OS or a plurality of program providers have their own 
secrets separately. 

[0022] Of course, it is possible to separate memory 
spaces among the applications and to prohibit accesses 
to a system memory by the applications by the protec- 
tion function provided in the virtual memory mechanism 
even in the existing processor. However, as long as the 
virtual memory mechanism is underthe management of 
the OS, the protection of the secret of the application 
cannot rely on the function under the management of 
the OS. This is because the OS can access data by ig- 
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noring the protection mechanism, and this privilege is 
indispensable in providing the virtual memory function 
as described above. 

[0023] As another conventional technique, Japanese 
Patent Application Laid Open No. 1 1 -282667 (1 999) dis- 
closes a technique of a secret memory provided inside 
the CPU in order to store the secret information of the 
application. In this technique, a prescribed reference 
value is required in order to access data in the secret 
memory. However, this reference fails to disclose how 
to protect the reference value for obtaining the access 
right with respect to the secret data from a plurality of 
programs operating in the same CPU, especially the 
OS. 

[0024] Also, in U.S. Patent No. 5,1 23,045, Ostrovsky 
et al. disclose a system that presupposes the use of sub- 
processors having unique secret keys corresponding to 
the applications, in which the operation of the program 
cannot be guessed from the access pattern by which 
these sub-processors are accessing programs placed 
on a main memory. This is based on a mechanism for 
carrying out random memory accesses by converting 
the instruction system for carrying out operations with 
respect to the memory into another instruction system 
different from that. 

[0025] However, this technique requires different sub- 
processors for different applications so that it requires 
a high cost, and the implementation and fast realization 
of the compiler and processor hardware for processing 
such instruction system are expected to be very difficult 
as they are quite different from those of the currently 
used processors. Besides that, in this type of processor, 
it becomes difficult to comprehend correspondences 
among the data contents and the operations even when 
the data and the operations of the actually operated 
codes are observed and traced so that the debugging 
of the program becomes very difficult, and therefore this 
technique has many practical problems, compared with 
the other conventional techniques described above in 
which the program codes and the data are simply en- 
crypted, such as those of U.S. Patent No. 5,224, 1 66 and 
Japanese Patent Application Laid Open No. 1 1 -282667. 

SUMMARY OF THE INVENTION 

[0026] Therefore the first object of the present inven- 
tion is to provide a microprocessor capable of surely pro- 
tecting both the internally executed algorithm and the 
data state inside a memory region from illegal analysis 
in the multi-task environment even when the execution 
is stopped by the interruption. 

[0027] This first object is motivated by the fact that the 
conventional techniques are capable of protecting val- 
ues of the program codes but are incapable of prevent- 
ing the analysis utilizing the interruption of the program 
execution by the exception occurrence or the debugging 
function. Thus the present invention aims at providing a 
microprocessor capable of surely protecting the codes 



even at a time of the program execution interruption, in 
which this protection is compatible with both the execu- 
tion control function and the memory management func- 
tion required by the current OS. 
5 [0028] The second object of the present invention is 
to provide a microprocessor in which each program can 
secure a correctly readable/writable data region inde- 
pendently even when a plurality of programs encrypted 
by using different encryption keys are to be executed. 
10 [0029] This second object is motivated by the fact that 
the conventional technique of U.S. Patent No. 
5,224,1 66 only provides a simple protection in which ac- 
cesses to the encrypted data region by non-encrypted 
codes are prohibited, and it has been impossible for a 
15 plurality of programs to protect their own secrets inde- 
pendently. Thus the present invention also aims at pro- 
viding a microprocessor which has a data region for pro- 
tecting secret of each application from the OS when a 
plurality of applications have their respective (encrypt- 
20 ed) secrets. 

[0030] The third object of the present invention is to 
provide a microprocessor capable of protecting the pro- 
tected attributes (i .e. , encrypted attributed) of the above 
described data region from illegal rewriting by the OS. 
25 [0031] This third object is motivated by the fact that 
the conventional technique of U.S. Patent No. 
5,224,1 66 has a drawback in that the OS can rewrite the 
encrypted attributes set in the segment register by in- 
terrupting the execution of the program using the con- 
30 text switching. Once the program is put in a state where 
data are written in a form of plaintext by rewriting the 
encrypted attributes, data will not written into a memory 
without encryption. Even if the application checks the 
segment register value at some timing, the result is the 
35 same if the register value is rewritten after that. Thus 
the present invention also aims at providing a micro- 
processor provided with a mechanism which is capable 
of prohibiting such an alteration or detecting such an al- 
teration and taking appropriate measure against such 
40 an alteration. 

[0032] The fourth object of the present invention is to 
provide a microprocessor capable of protecting the en- 
crypted attributes from the so called chosen-plaintext at- 
tack of the cryptoanalysis theory, in which the program 
45 can use arbitrary value as the data encryption key 
[0033] The fifth object of the present invention is to 
provide a microprocessor provided with a mechanism 
for the program debugging and feedback. Namely, the 
present invention aims at providing a microprocessor in 
so which the debugging of the program is carried out in 
plaintext and the feedback of information on defects is 
provided to a program code provider (program vendor) 
in the case of the execution failure. 
[0034] The sixth object of the present invention is to 
55 provide a microprocessor capable of achieving the first 
to fifth objects described above in a form that realizes 
both a low cost and a high performance. 
[0035] In order to achieve the first object, the first as- 
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pect of the present invention has the following features. 
The microprocessor which is formed as a single chip or 
a single package reads a plurality of programs encrypt- 
ed by using code encryption keys that are different for 
different programs, from a memory (a main memory, for 
example) external of the microprocessor through a bus 
interface unit that provides a reading function. A decryp- 
tion unit decrypts these plurality of read out programs 
by using respectively corresponding decryption keys, 
and an instruction execution unit executes these plural- 
ity of decrypted programs. 

[0036] In the case of interrupting the execution of 
some program among the plurality of programs, a con- 
text information encryption/decryption unit that provides 
an execution state writing function encrypts information 
indicating a state of execution up to an interrupted point 
of the program to be interrupted and the code encryption 
key of this program, by using an encryption key unique 
to the microprocessor, and writes the encrypted infor- 
mation as a context information into a memory external 
of the microprocessor. 

[0037] In the case of restarting the interrupted pro- 
gram, a verification unit that provides a restarting func- 
tion decrypts the encrypted context information by using 
a unique decryption key corresponding to the unique en- 
cryption key of the microprocessor, and restarts the ex- 
ecution of the program only when the code encryption 
key contained in the decrypted context information (that 
is the code encryption key of the program scheduled to 
be restarted) coincides with the original code encryption 
key of the interrupted program. 

[0038] In addition, in order to achieve the second and 
third objects, the microprocessor also has a memory re- 
gion (a register, for example) inside the processor that 
cannot be read out to the external, and an encrypted 
attribute writing unit (an instruction TLB, for example) 
for writing encrypted attributes for the processing target 
data of the program into the internal memory. The en- 
crypted attributes include the code encryption key of the 
program and an encryption target address range, for ex- 
ample). At least a part of these encrypted attributes is 
contained in the context information. 
[0039] The context information encryption/decryption 
unit also attaches a signature based on a secret infor- 
mation unique to the microprocessor to the context in- 
formation. In this case, the verification unit judges 
whether the signature contained in the decrypted con- 
text information coincides with the original signature 
based on the secret information unique to the micro- 
processor or not, and restarts the interrupted program 
only when they coincide. 

[0040] In this way, the state of execution up to an in- 
terrupted point of the encrypted program is stored in the 
external memory as the context information, while the 
protected attributes of the execution processing target 
data are stored in the register inside the processor, so 
that the illegal alteration of the data can be prevented. 
[0041] In order to achieve the fourth object, the sec- 



ond aspect of the present invention has the following 
features. The microprocessor that is formed as a single 
chip or a single package maintains a unique secret key 
therein that cannot be read out to the external. The bus 

s interface unit that provides a reading function reads the 
code encryption key that is encrypted by using a unique 
public key of the microprocessor corresponding to the 
secret key in advance from a memory external of the 
microprocessor. A key decryption unit that provides a 

io first decryption function decrypts the read out code en- 
cryption key by using the secret key of the microproc- 
essor. The bus interface unit also reads out a plurality 
of programs encrypted by respectively different code 
encryption keys from an external memory. A code de- 

15 cryption unit that provides a second decryption function 
decrypts these plurality of read out programs. The in- 
struction execution unit executes these plurality of de- 
crypted programs. 

[0042] In the case of interrupting the execution of 
20 some program among the plurality of programs, a ran- 
dom number generation mechanism generates a ran- 
dom number as a temporary key. The context informa- 
tion encryption/decryption unit writes a first value ob- 
tained by encrypting information indicating the execu- 
25 tion state of the program to be interrupted by using the 
random number, a second value obtained by encrypting 
this random number by using the code encryption key 
of the program to be interrupted, and a third value ob- 
tained by encrypting this random number by using the 
30 secret key of the microprocessor, into the external mem- 
ory as the context information. 

[0043] In the case of restarting the execution of the 
program, the context information encryption/decryption 
unit reads out the context information from the external 

35 memory, decrypts the random number of the third value 
contained in the context information by using the secret 
key, and decrypts the execution state information con- 
tained in the context information by using the decrypted 
random number. At the same time, the random number 

40 of the second value contained in the context information 
is decrypted by using the code encryption key of the pro- 
gram scheduled to be restarted. The random number 
obtained by decrypting the second value by using the 
code encryption key and the random number obtained 

45 by decrypting the third value by using the secret key are 
compared with the temporary key, and the execution of 
the program is restarted only when they coincide. 
[0044] In this way, the context information indicating 
the state of execution up to an interrupted point is en- 

50 crypted by using the random number that is generated 
at each occasion of the storing, and the signature using 
the secret key unique to the microprocessor is attached, 
so that the context information can be stored in the ex- 
ternal memory safely. 

55 [0045] In order to achieve the first to third and sixth 
objects, the third aspect of the present invention has the 
following features. The microprocessor that is formed 
as a single chip or a single package reads out a plurality 
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of programs encrypted by using the encryption keys that 
are different for different programs, and executes them. 
This microprocessor has an internal memory (a register, 
for example) that cannot be read out to the external, and 
stores the encrypted attributes for data to be referred 
from each program (that is the processing target data) 
and the encrypted attribute specifying information into 
the register. The context information encryption/decryp- 
tion unit writes a related information that is related to the 
encrypted attribute specifying information stored in the 
register and containing a signature unique to the micro- 
processor, into the external memory. A protection table 
management unit reads the related information from the 
external memory according to an address of the data to 
be referred by the program. The verification unit verifies 
the signature contained in the read out related informa- 
tion by using the secret key, and permits the data refer- 
ring by the program according to the encrypted attribute 
specifying information and the read out related informa- 
tion only when that signature coincides with the signa- 
ture unique to the microprocessor. 
[0046] In this configuration, the information to be 
stored in the internal register is attached with the signa- 
ture and stored into the external memory, and only the 
necessary portion is read outto the microprocessor. The 
signature is verified at a time of reading, so that the safe- 
ty against the substitution can be secured. Even when 
the number of programs to be handled is increased and 
the number of the encrypted attributes is increased, 
there is no need to expand the memory region inside 
the microprocessor so that a cost can be reduced. 
[0047] According to one aspect of the present inven- 
tion there is provided a microprocessor having a unique 
secret key and a unique public key corresponding to the 
unique secret key that cannot be read out to external, 
comprising, a reading unit configured to read out a plu- 
rality of programs encrypted by using different execution 
code encryption keys from an external memory; a de- 
cryption unit configured to decrypt the plurality of pro- 
grams read out by the reading unit by using respective 
decryption keys; an execution unit configured to execute 
the plurality of programs decrypted by the decryption 
unit; a context information saving unit configured to save 
a context information for one program whose execution 
is to be interrupted, into the external memory or a con- 
text information memory provided inside the micro- 
procesor, the context information containing information 
indicating an execution state of the one program and the 
execution code encryption key of the one program; and 
a restart unit configured to restart an execution of the 
one program by reading out the context information from 
the external memory or the context information memory, 
and recovering the execution state of the one program 
from the context information. 

[0048] Other features and advantages of the present 
invention will become apparent from the following de- 
scription taken in conjunction with the accompanying 
drawings. 



BRIEF DESCRIPTION OF THE DRAWINGS 

[0049] Fig. 1 is a block diagram showing a system in- 
corporating a microprocessor according to the first em- 

5 bodiment of the present invention. 

[0050] Fig. 2 is a diagram showing an entire memory 
space used in the microprocessor of Fig. 1 . 
[0051] Fig. 3 is a block diagram showing a basic con- 
figuration of a microprocessor according to the second 

10 embodiment of the present invention. 

[0052] Fig. 4 is a block diagram showing a detailed 
configuration of the microprocessor of Fig. 3. 
[0053] Fig. 5 is a diagram showing a page directory 
and a page table format used in the microprocessor of 

is Fig. 3. 

[0054] Fig. 6 is a page table and a key entry format 
used in the microprocessor of Fig. 3. 
[0055] Figs. 7A and 7B are diagrams respectively 
showing exemplary data before and after interleaving 
20 used in the microprocessor of Fig. 3. 

[0056] Fig. 8 is a diagram showing a flow of informa- 
tion for a code decryption processing to be carried out 
in the microprocessor of Fig. 3. 

[0057] Fig. 9 is a diagram showing a CPU register 

25 used in the microprocessor of Fig. 3. 

[0058] Fig. 10 is a diagram showing a context saving 
format used in the microprocessor of Fig. 3. 
[0059] Fig. 11 is a flow chart for a protection domain 
switching procedure to be carried out in the microproc- 

30 essor of Fig. 3. 

[0060] Fig. 1 2 is a diagram showing a flow of informa- 
tion for data encryption and decryption processing to be 
carried out in the microprocessor of Fig. 3. 
[0061] Fig. 13 is a diagram conceptually showing a 

35 process of execution control within a protection domain 
by the microprocessor of Fig. 3. 
[0062] Fig. 14 is a diagram conceptually showing a 
process of call up and branching from a protection do- 
main to a non-protection domain by the microprocessor 

40 of Fig. 3. 

[0063] Fig. 1 5 is a diagram showing a context saving 
format used in a conventional processor. 

DETAILED DESCRIPTION OF THE PREFERRED 
45 EMBODIMENTS 

[0064] Referring now to Fig. 1 and Fig. 2, the first em- 
bodiment of a tamper resistant microprocessor accord- 
ing to the present invention will be described in detail. 

so [0065] This first embodiment is directed to a micro- 
processor for protecting secrets of the program instruc- 
tions (execution codes) and the context information (ex- 
ecution state) which are to be provided in encrypted 
forms by using the public key (asymmetric key) crypto- 

55 system, from a user of a target system. 

[0066] Fig. 1 shows the target system, where a micro- 
processor 2101 of the target system is connected to a 
main memory 2103 through a bus 21 02. 
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[0067] As shown in Fig. 1 , in this embodiment, the mi- 
croprocessor 2101 has a register file 2111 , an instruc- 
tion execution unit 2112, an instruction buffer 2113, a 
public key descryption function 2114, a secret key reg- 
ister 2115, a common key decryption function 2116, a 
common key register 2117, a BIU (Bus Interface Unit) 
2118, a register buffer 21 19, apublic key register 2120, 
an encryption function 21 2 1 , a decryption function 21 22, 
and a previous common key register 2123, which wiil be 
described in further detail below. 
[0068] First, the terms to be ised in the following de- 
scription wilt be described, and the operation of general 
operating system (OS) and application programs will be 
described briefly. A program is a set of data and a series 
of machine language instructions written for some spe- 
cific purpose. The OS is a program for managing re- 
sources of the system, and the application is a program 
to be operated under the resource management of the 
OS. This embodiment presupposes the multi-task sys- 
tem, so that a plurality of application programs will be 
operated in a quasi parallel manner under the manage- 
ment of the OS. Each one of these programs that are 
operated in the quasi parallel manner will be referred to 
as a process. There are cases where a set of processes 
for executing the processes for the same purpose will 
be referred to as a task. 

[0069] The instructions and data of the application 
program are usually stored in files on a secondary mem- 
ory. They are arranged on a memory by a loader of the 
OS and executed as a process. The execution of the 
program is often interrupted by an exception (or inter- 
ruption) processing of the processor caused by input/ 
output or the like. A program for carrying out the excep- 
tion processing will be referred to as an exception han- 
dler, The exception handler is usually set up by the OS. 
The OS can process an exception request from the 
hardware, interrupt the operation of the application and 
restart or start the operation of another application at 
arbitrary timing. The interruptions of the process include 
transitory cases where the execution of the original 
process is restarted without switching processes after 
the execution of the exception handler, and cases re- 
quiring the process switching. Examples of the former 
include a simple timer increment and examples of the 
latter include a virtual memory processing due to the 
page exception. 

[0070] The object of this embodiment is to protect the 
program instructions (execution codes) and the execu- 
tion state from a user of the target system who can freely 
read the main memory of the target system and freely 
alter the OS program or application programs. 
[0071] The basic features for achieving this object are 
the access control with respect to the information stor- 
age inside the processor and the encryption based on 
the information listed below. 



the secret key cryptosystem using this key. 

(2) A pair of a unique public key Kp and a unique 
secret key Ks provided inside the processor. The 
public key can be read out by the program by using 

5 instructions. 

(3) An encryption key information in which the com- 
mon key Kx of the program is encrypted by using 
the public key Kp of the processor. 

io [Execution of a plaintext program] 

[0072] This processor is capable of executing a pro- 
gram with coexisting plaintext instructions and encrypt- 
ed instructions which is placed on the main memory. 

15 Here the operation inside the OPU for the execution of 
a plaintext program will be described with references to 
Fig. 1 and a memory arrangement shown In Fig. 2. 
[0073] Fig. 2 shows an entire memory space 2201 , in 
which programs are placed in regions 2202 to 2204 on 

20 the main memory, where regions 2202 and 2204 are 
plaintext regions while a region 2203 is an encrypted 
region. A region 2205 stores a key information to be 
used in decrypting the region 2203. 
[0074] The execution of the program is started as the 
control is shifted from the OS by an instruction for jump 
to a top X of the program or the like. The instruction ex- 
ecution unit 2112 executes the instruction for jump to X, 
and outputs an address of the instruction to the BIU 
211 8, The content of the address X is read through the 

30 bus 21 02, sent from the BIU 21 1 8 to the instruction buff- 
er 2113, and sent to the instruction execution unit 2112 
where the instruction is executed. Its operation result is 
reflected in the register file 2111. When the operation 
target is reading/writing with respect to an address on 

35 the main memory 21 03, its address value is sent to the 
BIU 2118, that address is outputted from the BIU 2118 
to the bus 2102, and data reading/writing with respect 
to the memory is carried out. 

[0075] The instruction buffer 2113 has a capacity for 
40 storing two or more instructions, and the instructions 
corresponding to a size of the instruction buffer 21 1 3 are 
collectively read out from the main memory 2103. 

[Execution of encrypted instructions] 

45 

[0076] Next, the case of executing an encrypted in- 
struction will be described. The processor of this em- 
bodiment has two states including the execution of 
plaintext instructions and the execution of encrypted in- 

50 structions, and two types of instructions for controlling 
these states are provided. One is an encryption execu- 
tion start instruction for making a transition from the ex- 
ecution of plaintext instructions to the execution of en- 
crypted instructions, and another is a plaintext return in- 

55 struction for making a reverse transition. 



(1) A common key Kx selected by a program crea- 
tor, The application program will be encrypted by 
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[Encryption execution start instruction] 

[00771 The encryption execution start instruction is 
denoted by the following mnemonic "execenc" and 
takes one operand: 

execenc keyaddr 
where "keyaddr" indicates an address where the key in- 
formation to be used in decrypting the subsequent in- 
structions is stored. 

[Key information] 

[0078] Here : the key information and the program en- 
cryption will be described. The encrypted region 2203 
comprises a sequence of encrypted instructions. The in- 
structions are subdivided into blocks in units of a 
prefetch queue size and encrypted by the secret key al- 
gorithm such as DES (Data Encryption Standard) algo- 
rithm. A key to be used in this encryption will be denoted 
as Kx hereafter. Since the secret key algorithm is used, 
the same key Kx is also used for the decryption. 
[0079] If this Kx is placed on the main memory in a 
plaintext form, a user who can operates the OS of the 
target system can easily read it and analyze the encrypt- 
ed program. In order to prevent this, E Kp [Kx] obtained 
by encrypting Kx by using the public key Kp of the proc- 
essor will be placed in the region 2205 of the memory. 
A top address of this region is indicated by "keyaddr". 
[0080] It is cryptograph ically (computationally) impos- 
sible to decrypt Kx from E Kp [Kx] unless one knows Ks 
corresponding to the public key Kp. Consequently, the 
secret of the program will never be leaked to the user 
as long as the user of the target system does not know 
Ks. This Ks is stored in a form that cannot be read out 
from the external, inside the processor. The processor 
can decrypt Kx internally without allowing the user to 
learn about it, and the processor can also decrypt the 
encrypted program by using Kx and execute it. 
[0081 ] In the following, the encryption execution start 
instruction and the subsequent the execution of the en- 
crypted instruction will be described in detail. By the ex- 
ecution of the jump instruction in a region 2207, the con- 
trol is shifted to the encryption execution start instruction 
at the address "start". At the address indicated by the 
operand "keyaddr" of the encryption execution start in- 
struction, the content of the specified region 2205 is read 
out to the instruction execution unit 2112 of the proces- 
sor as data. The instruction execution unit 2112 sends 
this data E Kp [Kx] to the public key decryption function 
21 1 4. The public key decryption function 2114 takes out 
Kx by decrypting E Kp [Kx] by using a secret key Ks 
unique to the processor which is stored in the secret key 
register 2115, and stores it in the common key register 
2117. Then, the processor enters the encrypted instruc- 
tion execution state. 

[0082] Here, it is assumed that the processor package 
is manufactured such that the contents stored in the se- 
cret key register 21 1 5 and the common key register 21 1 7 



cannot be read out to the external by the program or the 
debugger of the processor chip. 
[0083] By executing the encryption execution start in- 
struction, the key to be used in decrypting the subse- 

5 quent instructions is stored into the common key register 
2117, and the processor is entered into the encrypted 
instruction execution state. When the processor is in the 
encrypted instruction execution state, the instructions 
read from the main memory 21 03 are sent from the BIU 

10 2118 to a common key decryption function 2116, de- 
crypted by using the key information stored in the com- 
mon key register 2117 and stored into the instruction 
buffer 2113. 

[0084] In this embodiment, the program encrypted by 
15 using the key Kx which is stored in the region 2204 next 
to the encryption execution start instruction will be de- 
crypted, stored in the instruction buffer 2113, and exe- 
cuted. The reading is carried out in units of a size of the 
instruction buffer2113. Fig. 2 shows an exemplary case 
20 where the size of the instruction buffer 211 3 is 64 bits, 
and four instructions of 1 6 bits size each are collectively 
read out to the instruction buffer 2113. 



[Plaintext return instruction] 



25 



[0085] The processor in the encrypted instruction ex- 
ecution state returns to the plaintext instruction execu- 
tion state by the execution of the plaintext return instruc- 
tion. 

30 [0086] The plaintext return instruction is denoted by 
the following mnemonic: 
exitenc 

which takes no operand. By execution of this instruction, 
the reading of the instructions from the main memory 
35 2103 is carried out through a path that does not pass 
through the common key decryption function 211 6, and 
the processor returns to the execution of the plaintext 
instructions. 

[0087] Note that when the encryption execution start 
40 instruction is executed again during the execution of the 
encrypted instruction, the instruction decryption key is 
changed such that the subsequent instructions are de- 
crypted by using a different key and executed. 

45 [Context saving and attack against it] 

[0088] Next, the safe saving of the execution state in 
order to protect the secret of the application program in 
the multi-task environment will be described. 

so [0089] The register file 21 11 of this processor has 32 
general purpose registers (RO to R31). R31 is used as 
a program counter. The contents of the general purpose 
registers are stored in the register file 2111 . When the 
exception occurs during the execution of the encrypted 

55 program as described above, the contents of the regis- 
ter file 21 11 are moved to the register buffer 2119, and 
the contents of the register file 2111 are initialized by a 
prescribed value or a random number. Then, the value 
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of the common key used for decryption of the encrypted 
program is stored in the previous common key register 
2123. Only when these two types of initialization are 
completed, the control is shifted to the exception handler 
and the instructions of the exception handler are exe- 
cuted. The instructions of the exception handler are as- 
sumed to be non-encrypted. 

[0090] By this register file initialization function, in the 
processor of this embodiment, the reading of the regis- 
ter values processed by the encrypted program I v th* 
exception handler program is prevented even in the 
case where the control is shifted to the exception han- 
dler as an exception occurs during the execution of the 
encrypted program. At the same time, the contents of 
the register file 2111 are saved in the register buffer 
2119, and there is a function for recovering the register 
buffer contents and for storing them into the memory as 
will be described below, so as to enable the restart of 
the encrypted program. 

[0091] Now, the register contents stored in the regis- 
ter buffer 2119 cannot be read out directly from the non- 
encrypted program of the exception handler. The non- 
encrypted program of the exception handler is only al- 
lowed to perform the following two operations with re- 
spect to the register buffer 2119. 

(1) Recover the register buffer contents and restart 
the execution of the original encrypted program. 

(2) Encrypting the register buffer contents and store 
them into the memory, and execute the OS program 
or another encrypted program. 

[0092] In the case of (1 ), when the exception handler 
processing such as the increment of the counter is fin- 
ished, the exception handler issued a "cont" (continue) 
instruction. When the "cont" instruction is executed, the 
contents of the register buffer 2119 and the previous 
common key register 2123 are recovered in the register 
file 2111 and the common key register 21 1 7, respective- 
ly. The program counter is contained in the register file 
2111 , so that the execution of the encrypted program is 
restarted by setting the control back to a point where the 
execution of the encrypted program was interrupted. For 
the decryption of the encrypted program after the re- 
start, the value recovered from the previous common 
key register 2123 will be used. Similarly as the contents 
of the register buffer 2119, the program cannot rewrite 
the previous common key register 2123 explicitly. 
[0093] The case of (2) corresponds to the case where 
the process switching occurs at a timing of the execution 
of the exception handler. In this case, the exception han- 
dler or a task dispatcher of the processor issues a "sa- 
vereg" (save register) instruction for saving the contents 
of the register buffer 2119 into the memory. This "sav- 
ereg" instruction is denoted by the following mnemonic: 
savereg dest 

and takes one operand "dest" indicating an address to 
which the register buffer contents are to be saved. 



[0094] When the "savereg" instruction is issued, the 
contents of the register buffer 2119 and the previous 
common key register 21 23 are encrypted by the encryp- 
tion function 21 21 by using the public key Kp of the proc- 

5 essor stored in the public key register 21 20, and saves 
at an address on the main memory 21 03 specified by 
"dest" through the BIU2118. The main memory 2103 is 
outside the processor so that it has a possibility of being 
accessed by the user, but these contents are encrypted 

10 by the public key of the processor so that the user who 
does not know the secret key of the processor cannot 
learn the register buffer contents. 
[0095] After the register buffer contents are saved, the 
OS activates another encrypted program by the method 

15 described above. If another encrypted program is acti- 
vated without saving the register buffer contents, the 
register buffer contents would be rewritten to those of 
another encrypted program when the execution of an- 
other encrypted program is interrupted, and it would be- 

20 come impossible to restart the original encrypted pro- 
gram as the register buffer contents for the original en- 
crypted program are lost. 

[0096] Here, the number of the register buffer is as- 
sumed to be one, but it is also possible to provide a plu- 
25 rality of register buffers so as to be able to deal with mul- 
tiple exceptions. 

[Recovery procedure] 

30 [0097] Next a procedure for recovering the saved ex- 
ecution state will be described. 

[0098] At a time of restarting the interrupted applica- 
tion, a dispatcher of the OS issues a n rcvrreg N (recover 
register) instruction. This "rcvrreg" instruction is denoted 
35 by the following mnemonic: 
rcvrreg addr 

and takes one operand "addr" indicating an address at 
which the execution state is saved. 
[0099] When the "rcvrreg" instruction is issued, the 
40 encrypted execution state information is taken out from 
the address of the memory specified by "addr* by the 
BIU 21 1 8 of the processor, decrypted by using the secret 
key Ks of the processor by the decryption function 21 22, 
and the register information is recovered in the register 
45 file 2111 while the program decryption key is recovered 
in the common key register 2117. When the recovery is 
completed, the execution of the interrupted program is 
restarted from a point indicated by the program counter. 
At this point, the key Kx recovered from the execution 
so state information will be used for decryption of the en- 
crypted program. 

[01 00] The detail of the saving and the recovery of the 
execution state in relation to the interruption of the en- 
crypted program due to exception has been described 
55 above. As already described above, the encrypted pro- 
grams are safe against attacks from the user who can 
operate the OS of the target system. 
[0101] Next, the safety of the above described 
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scheme against two types of attacks against the execu- 
tion state will be described. 

[Attacks against the execution state] 

[0102] There are two types of attacks against the ex- 
ecution state that is generated in a process of the appli- 
cation execution. One is the peeping of the saved exe- 
cution state by an attacker, and the other is the rewriting 
of the execution state to a desired value by an attacker. 
[0103] Here, the following two terms for expressing 
the illegal accesses to the execution state will be de- 
fined. First, the program that has generated the execu- 
tion state will be referred to as an original program for 
that execution state. The original program can be re- 
started by recovering the execution state in the regis- 
ters. On the other hand, programs other than the pro- 
gram that has generated the execution state, that is pro- 
grams encrypted by encryption keys different from that 
of the original program or plaintext programs, will be re- 
ferred to as other programs. 

[01 04] The illegal accesses or the attacks with respect 
to the execution state generated by some original pro- 
gram are defined as an act of directly analyzing the ex- 
ecution state on the memory by some method independ- 
ently from the operation of the processor by a third party 
who does not know the encryption key of the original 
program, or an act of analyzing the execution state or 
rewriting the execution state to a desired value by a third 
party utilizing the other programs operated on the same 
processor. 

[01 05] In the microprocessor of this embodiment, the 
execution state is protected by the following three types 
of mechanisms so as to prevent the illegal accesses uti- 
lizing the access to the memory external of the proces- 
sor or the other programs. 

[01 06] First, in this embodiment, the register informa- 
tion is saved in the register buffer 2119 when the exe- 
cution of the encrypted program is interrupted. Then, the 
register buffer 21 19 and the previous common key reg- 
ister 2123 cannot be accessed by any methods other 
than that using the "rcvrreg" instruction or the "savereg" 
instruction, so that the other programs cannot read their 
contents freely. 

[0107] In the conventional processor, the registercon- 
tents at a time of the exception occurrence can be freely 
read by the exception handler program. In the micro- 
processor of this embodiment, the register contents are 
saved in the register buffer 2119 so as to prohibit the 
reading from the other programs, and the instruction for 
saving the register buffer contents by encrypting them 
by using the public key of the processor is provided so 
as to prevent the peeping of the execution state saved 
on the memory by the user of the system. 
[01 08] The second attacking method includes a meth- 
od for reading values of the registers contained in the 
execution state by placing the instruction of some other 
program known to the attacker at the same memory ad- 



dress as the 'iriginal program such that this other pro- 
gram reads the encrypted execution state. 
[01 09] In the microprocessor of this embodiment, the 
encrypted execution state contains the program encryp- 

5 tion key, and this key will be used in decrypting the en- 
crypted program at a time of restart. Because of this 
mechanism, even when the other program other than 
the original program attempts to read the execution 
state, the key for does not match so that the program 

10 cannot be decrypted correctly and the program cannot 
be executed according to the intention of the attacker, 
Thus the second attacking method is impossible in the 
microprocessor of this embodiment. 
[0110] This effect cannot be realized by simply en- 

15 crypting the execution state itself by the public key of 
the processor, but can be realized by encrypting the de- 
cryption key of the original program and the execution 
state integrally. 

[0111] Note that, in order to maximize this effect, val- 
20 ues of the registers (RO to R31) and the common key 
Kx should preferably be stored in the identical cipher 
block at a time of the encryption using the public key. 
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[Data protection] 



[01 12] In the microprocessor of this embodiment, the 
encryption of the data is not accounted, but it should be 
apparent to those skilled in the art that it is possible to 
add the data encryption function to the microprocessor 
30 of this embodiment similarly as the data encryption in 
the microprocessor for supporting the virtual memory 
which will be described in the second embodiment 
[0113] Referring now to Fig. 3 to Fig. 14, the second 
embodiment of a tamper resistant microprocessor ac- 
35 cording to the present invention will be described in de- 
tail. 

[0114] In this embodiment, the microprocessor ac- 
cording to the present invention will be described for an 
exemplary case of using an architecture based on the 

40 widely used Pentium Pro microprocessor of the Intel 
corporation, but the present invention is not limited to 
this particular architecture. In the following description, 
features specific to the Pentium Pro microprocessor ar- 
chitecture will be noted and applications to the other ar- 

45 chrtectures will be mentioned. 

[01 15] Note that the Pentium Pro architecture distin- 
guishes three types of addresses in the address space 
including physical addresses, linear addresses and log- 
ical addresses, but the linear addresses in the Pentium 

so terminology will also be referred to as logical addresses 
in this embodiment. 

[01 16] In the following description, the protection im- 
plies the protection of secrets of applications (that is the 
protection by encryption), unless otherwise stated. Con- 
55 sequentfy, the protection in this embodiment should be 
clearly distinguished from the ordinarily used concept of 
protection, that is the prevention of disturbances on the 
operations of the other applications due to the operation 
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of some application. However, in the present invention, 
it is assumed that the operation protection mechanism 
in the ordinary sense is of course provided by the OS 
(although the description of this aspect will be omitted 
as it is unrelated to the present invention), in parallel to 
the protection of secrets of applications according to the 
present invention. 

[0117] Also, in the following description, a machine 
language instructions that are executable by the proc- 
essor will be referred to as instructions, and a plurality 
of instructions will be collectively referred to as an exe- 
cution code or an instruction stream. A key used in en- 
crypting the instruction stream will be referred to as the 
execution code encryption key. 

[0118] Also, in the following description, the secret 
protection mechanism will be described as protecting 
secrets of. applications under the management of the 
OS, but this mechanism can also be utilized as a mech- 
anism for protecting the OS itself from alteration or anal- 
ysis. 

[0119] Fig. 3 shows a basic configuration of the mi- 
croprocessor according to this embodiment, and Fig. 4 
shows a detailed configuration of the microprocessor 
shown in Fig. 3. 

[0120] The microprocessor 1 01 has a processor core 
111, an instruction TLB (Table Lookup Buffer) 121, an 
exception processing unit 131, a data TLB (Table 
Lookup Buffer) 141 , a secondary cache 152. The proc- 
essor core 111 includes a bus interface unit 112, a code 
and data encryption/decryption processing unit 113, a 
primary cache 114, and an instruction execution unit 
115. 

[0121] The instruction execution unit 115 further in- 
cludes an instruction fetch/decode unit 214, an instruc- 
tion table 215, an instruction execution switching unit 
216, and an instruction execution completing unit 217. 
[0122] The exception processing unit 131 further in- 
cludes a register file 253, a context information encryp- 
tion/decryption unit 254, an exception processing unit 
255, a secret protection violation detection unit 256, and 
an execution code encryption key and signature verifi- 
cation unit 257. 

[0123] The instruction TLB 121 further includes a 
page table buffer 230, an execution code decryption key 
table buffer 231 , and a key decryption unit 232. The data 
TLB 141 further includes a protection table manage- 
ment unit 233. 

[0124] The microprocessor 1 01 has a key storage re- 
gion 241 for storing a public key Kp and a secret key Ks 
which are unique to this microprocessor. Now, consider 
the case of purchasing a desired execution program A 
from some program vendor and executing it. The pro- 
gram vendor encrypts the program A by using a com- 
mon execution code encryption key Kcode (E K 
before supplying the execution program A, and sends 
the common key Kcode used for encryption in a form 
encrypted by using the public key Kp of the microproc- 
essor 1 01 (E K p [Kcode]) to the microprocessor 101. The 



microprocessor 101 is a multi-task processor which 
processes not only this execution program A but also a 
plurality of different encrypted programs in a quasi par- 
allel manner (that is by allowing interruptions). Also, the 

5 microprocessor 1 01 obviously executes not only the en- 
crypted programs but also plaintext programs. 
[0125] The microprocessor 101 reads out a plurality 
of programs encrypted by using different execution code 
encryption keys from a main memory 281 external of the 

io microprocessor 101 through the bus interface unit 
(reading function) 112. The execution code decryption 
unit 212 decrypts these plurality of read out programs 
by using respectively corresponding decryption keys, 
and the instruction execution unit 115 executes these 

is plurality of decrypted programs. 

[0126] In the case of interrupting the execution of 
some program, the context information encryption/de- 
cryption unit 254 of the exception processing unit 131 
encrypts information indicating the execution state up to 

20 an interrupted point of the program to be interrupted and 
the code encryption key of this program by using the 
public key of the microprocessor 1 01 , and writes the en- 
crypted information into the main memory 281 as the 
context information. 

25 [0127] In the case of restarting the interrupted pro- 
gram, the execution code encryption key and signature 
verification unit 257 decrypts the encrypted context in- 
formation by using the secret key of the microprocessor 
1 01 , verifies whether the execution code encryption key 

30 contained in the decrypted context information (that is 
the execution code encryptionb key of the program 
scheduled to be restarted) coincides with the original ex- 
ecution code encryption key of the interrupted program, 
and restarts the execution of the program only when 

35 they coincide. 

[01 28] Here, before describing the detailed configura- 
tion and functions of the microprocessor 101, the 
processing procedure for the execution of plaintext in- 
structions and the execution of encrypted programs by 

40 the microprocessor 1 0.1 will be outlined. 

[0129] When the microprocessor 101 executes a 
plaintext instruction, the instruction fetch/decode unit 
21 4 attempts to read the content of an address indicated 
by a program counter (not shown) from an L1 instruction 

4? cache 213. If the content of the specified address is 
cached, the instruction is read out from the L1 instruction 
cache 213, sent to the instruction table 215, and exe- 
cuted. The instruction table 21 5 is capable of executing 
a plurality of instructions in parallel, and requests read- 
so ing of data necessary for carrying out the execution to 
the instruction execution switching unit 216 and re- 
ceives the data. When the instructions are executed in 
parallel and their execution results are determined, the 
execution results are sent to the instruction execution 

55 completing unit 21 7. The instruction execution complet- 
ing unit 217 writes the execution result into the register 
file 253 when the operation target is a register inside the 
microprocessor 1 01 , or into an L1 data cache 21 8 when 
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the operation target is a memory. 
[0130] The content of the L1 data cache 21 8 is cached 
once again by an L2 cache 1 52 under the control of the 
bus interface unit 112, and written into the main memory 
281. Here, the virtual memory mechanism is used, 
where a correspondence between the logical memory 
address and the physical memory address is defined by 
a page table shown in Fig. 5. 

[0131] The page table is a data structure placed on 
the physical memory. The data TLB 1 41 actually c *m>9 
out a conversion from the logical address to the physical 
address, and at the same time manages the data cache. 
The data TLB 1 41 reads a necessary portion of the table 
according to a top address of the table indicated by a 
register inside the microprocessor 1 01 , and carries out 
the operation for converting the logical address into the 
physical address. At this point, only the necessary por- 
tion of the page table is read out to a page table buffer 
234 according to the logical address to be accessed, 
rather than reading out the entire page table on the 
memory to the data TLB 1 41 . 

[01 32] The basic cache operation is stable regardless 
of whether the instructions of the program are encrypted 
or not. Namely, a part of the page table is read out to 
the instruction TLB 121 , and the address conversion is 
carried out according to the definition contained therein. 
The bus interface unit 112 reads instructions from the 
main memory 281 orthe L2 cache 1 52, and instructions 
are stored in the L1 instruction cache 213. The reading 
of instructions out to the L1 instruction cache 21 3 is car- 
ried out in units of a line formed by a plurality of words, 
which enables a faster access than the reading in word 
units. 

[0133] The address conversion utilizing the same 
page table on the physical memory is also carried out 
for the processing target data of the executed instruc- 
tions, and the execution of the conversion is carried out 
at the data TLB 141 as described above. 
[0134] The operation up to this point is basically the 
same as the general cache memory operation. 
[01 35] Next, the operation in the case of executing an 
encrypted program will be described. In this embodi- 
ment, it is assumed that the execution codes for which 
secrets are to be protected are all encrypted, and the 
encrypted execution codes will also be referred to as 
protected codes. In addition, a range of the protection 
by the same encryption key will be referred to as a pro- 
tection domain. Namely, a set of codes protected by the 
same encryption key is belonging to the same domain, 
and codes protected by different encryption keys are be- 
longing to different protection domains. 
[0136] First, the execution codes of a program en- 
crypted by the secret key scheme blockcipher algorithm 
are stored on the main memory 281 . A method for load- 
ing the encrypted program transmitted from a program 
vendor will be mentioned below. 
[01 37] A cipher block size of the execution codes can 
be any value as long as two to the power of the block 



size coincides with a line size that is a unit for reading/ 
writing with respect to the cache memory. However, if 
the block size is so small that a block length coincides 
with an instruction length, there arises a possibility for 

5 analyzing the instruction easily by recording a corre- 
spondence between encrypted data and a predictable 
portion of the instruction such as a top portion of a sub- 
routine. For this reason, in this embodiment, the blocks 
are interleaved such that there is a mutual dependency 

10 among data in the blocks and the encrypted block con- 
tains information on a plurality of instruction words or 
operands. In this way, it is made difficult to set a corre- 
spondence between the instruction and the encrypted 
block. 

15 [01 38] Figs. 7A and 7B show an example of the inter- 
leaving that can be used in this embodiment In this ex- 
ample, it is assumed that the line size of the cache is 32 
bytes and the block size is 64 bits (i.e., 8 bytes). As 
shown in Fig. 7A, before the interleaving, one word is 

20 formed by 4 bytes, so that a word A is formed by 4 bytes 
of AO to A3. One line is formed by 8 words of A to H. 
When this is interleaved in units of 8 bytes correspond- 
ing to the block size of 64 bits, as shown in Fig. 7B, AO, 
B0, , HO are arranged in the first block correspond- 

25 ing to word 0 and word 1 , A1 , B1 , •— , H1 are arranged 
in the next block, and so on. 

[01 39] An attack can be made more difficult by setting 
a length of a region to be interleaved longer, but the in- 
terleaving of a region with a length longer than the line 

30 size makes the processing more complicated and low- 
ers the processing speed because the decryption/en- 
cryption of one cache line would depend on reading/Writ- 
ing of another line. Thus it is preferable to set a range 
for interleaving within a range of the cache line size. 

35 [01 40] Here the method for interleaving data of blocks 
is used such that there is a mutual dependency among 
data in a plurality of blocks contained in the cache line, 
but it is also possible to use the other method for gen- 
erating a dependency among data blocks, such as the 

40 CBC (Cipher Block Chaining) mode of the block cipher. 
[0141] The decryption key Kcode (which will also be 
referred to as the encryption key hereafter even in the 
case of decryption because the encryption key and the 
decryption key are identical in the secret key algorithm) 

45 of the encrypted execution codes is determined accord- 
ing to the page table. Fig. 5 and Fig. 6 show a table struc- 
ture of the conversion from the logical address to the 
physical address. 

[0142] A logical address 301 of the program counter 
so indicates some value, and a directory 302 and a table 
303 constituting its upper bits specify a page entry 307-j. 
The page entry 307-j contains a key entry ID 307-j-k, 
and a key entry 309-m to be used for decryption of this 
page is determined in a key table 309 according to this 
55 ID . The physical address of the key table 309 is specified 
by a key table control register 308 inside the microproc- 
essor. 

[0143] In this configuration, the ID of the key entry is 
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set in the page entry rather than setting the key infor- 
mation directly, such that the key information in a large 
size is shared among a plurality of pages so as to save 
a limited size of a memory region on the instruction TLB 
121. 5 
[0144] In further detail, the page table and key table 
information is stored into the instruction TLB 121 as fol- 
lows. Only portions necessary for the access to the 
memory is read out from the page tables 306, 307 and 
311 to the page table buffer 230, and from the key table 10 
309 to the execution code decryption key table buffer 
231. 

[01 45] In a state of being stored on the main memory, 
a reference counter of the key object 309-m which is an 
element of the key table 309 indicates the number of « 
page tables that referto this key object. In a state where 
the key object is read out to the execution code decryp- 
tion key table buffer 231 , this reference counter indi- 
cates the number of page tables that refer to this key 
object and that are read out to the page table buffer 230. 20 
This reference counter will be used for judgement at a 
time of deleting any unnecessary key object from the 
execution code decryption key table buffer 231 . 
[01 46] One of the features of this embodiment is that 
the key table entry has a fixed length but a key length 25 
used in each table is made variable in order to be able 
to deal with a higher cryptoanalytic power, and specified 
at a key size region of the key table. It implies that the 
secret key Ks unique to the microprocessor 1 01 is fixed 
but the length of Kcode to be used for encryption and 20 
decryption of the program can be changed by the spec- 
ification of the key entry. In order to specify a position of 
the variable length key, the key entry 309-m has a field 
309-m-4 pointing to the key entry, which indicates an 
address of the key object 310. 35 
[0147] In the key object region 310, the execution 
code encryption key Kcode is stored in a form E Kp 
[Kcode] encrypted by the public key algorithm using the 
public key Kp of the microprocessor 1 01 . In order to en- 
crypt data safely in the public key algorithm, a large re- *o 
dundancy is necessary, so that a length of the encrypted 
data becomes longer than a length of the original data. 
Here, lengths of Ks and Kp are set to be 1024 bits, a 
length of Kcode is set to be 64 bits, which is extended 
to 256 bits by padding, and EfKcode] is encrypted in a *s 
length of 1024 bits and stored in the key object region 
310. When Kcode is so long that it cannot be stored in 
1 024 bits, it is divided into a plurality of blocks of 1 024 
bits size each and stored. 

[0148] Fig. 8 summarizes the information flow in the so 
code decryption. A program counter 501 indicates an 
address "Addr" on an encrypted code region 502 on a 
logical address space 502. The logical address "Addr" 
is converted into the physical address "Addr* " according 
to the page table 307 that is read out to the instruction ss 
TLB 1 21 . At the same time, the encrypted code decryp- 
tion key E[Kcode] is taken out from the key table 309, 
decrypted by using the secret key Ks provided in the 
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CPU at a decryption f unction 506, and stored into a cur- 
rent code decryption key memory unit 507. The common 
key Kcode for the code encryption is encrypted by using 
the public key Kp of the microprocessor 101 by the pro- 
gram vendor, and supplied along with the program en- 
crypted by using Kcode, so that the user who does not 
know the secret key Ks of the microprocessor 101 can- 
not know Kcode. 

[0149] After the program execution codes are en- 
crypted by using Kcode and shipped, the program ven- 
dor keeps and manages Kcode safely such that its se- 
cret will not be leaked to a third party. 
[01 50] An entire key table 51 1 and an entire page ta- 
ble 512 are placed in a physical memory 510, and their 
addresses are specified by a key table register 508 and 
a CR3 register 509 respectively. From the contents of 
these entire tables, only necessary portions are cached 
into the instruction TLB 121 through the bus interface 
unit 112. 

[0151] Now, when a content 503 corresponding to the 
physical address "Addr 1 0 as converted by the instruction 
TLB 121 is read out by the bus interface unit 112, this 
page is encrypted so that it is decrypted at a code de- 
cryption function 21 2. The reading is carried out in units 
of the cache line size, and after the decryption in block 
units, the inverse processing of the interleaving de- 
scribed above is carried out. The decrypted result is 
stored in the L1 instruction cache 213, and executed as 
an instruction. 

[0152] Here, the method for loading the encrypted 
program and the relocation of the encrypted program 
will be described. For the loading of a program into the 
memory, there is a method in which a program loader 
changes an address value contained in the execution 
codes of the program in order to deal with a change of 
an address for loading the program, but this method is 
not applicable to the encrypted program. However, the 
relocation of the encrypted program is possible by using 
a method of realizing the relocation without directly re- 
writing the execution codes by utilizing a table called 
jump table or IAT (Import Address Table). 
[0153] Further details of the loading procedure and 
the relocation for general programs can be found, for 
example, in L.W. Allen et aJ. f "Program Loading in OSF/ 
1, USENIX winter, 1991, and the loading method and 
the relocation for the encrypted program can be found 
in Japanese Patent Application No. 2000-35898 of the 
applicants. 

[0154] It is possible to protect the execution codes 
placed on the memory external of the processor by the 
above described method for decrypting the encrypted 
execution codes of the program, reading them out to the 
cache memory inside the processor, and executing 
them. 

[0155] However, the execution codes that are de- 
crypted into plaintext can exist inside the processor. 
Even if it is impossible to read them out directly from 
outside the processor, there is a possibility for the plain- 
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text program to be read out and analyzed by the other 
programs that are operated in the same processor. 
[0156] In this embodiment the key decryption 
processing by using the secret key 241 and the key de- 
cryption unit 232 of the instruction TLB 121 is not carried 
out at a time of data reading into an L1 data cache 21 8. 
When the data reading is carried out with respect to an 
encrypted page for which an encryption flag 307-j-E is 
set to "1" in the page table, either non-decrypted original 
data or data of a prescribed value "0" will be read out, 
or else an exception occurs such that the normally de- 
crypted data cannot be read out. Note that when the en- 
cryption flag 307-j-E in the page table is rewritten, the 
decrypted content of the corresponding instruction 
cache will be invalidated. 

[01571 By this mechanism, it becomes impossible for 
the other programs (including the own program) to read 
the execution codes of the encrypted program as data, 
and decrypt them by utilizing functions of the processor. 
[01 58] Also, the other programs cannot explicitly read 
data in the instruction cache, so that the safety of the 
execution codes can be guaranteed. The safety of the 
data will be described below. 

[0159] Because the encrypted execution codes can 
be executed in this way, in the microprocessor of this 
embodiment, by selecting the encryption algorithm and 
parameters appropriately, it can be made cryptograph- 
ically impossible for a party who does not know the true 
value of the execution code encryption key Kcode to an- 
alyze the operation of the program by de-assembling the 
execution codes. 

[0160] Thus the user cannot know the true value of 
the execution code encryption key Kcode, and it can be 
made cryptographically impossible for the user to make 
an alteration according to the user's intention such as 
illegal copying of the contents handled by the application 
by altering a part of the encrypted program. 
[01 61 ] Next, another feature of the microprocessor of 
this embodiment regarding the encryption, signature 
and its verification forthe context at a time of interrupting 
the program execution under the multi-task environment 
will be described. 

[01 62] The execution of the program under the multi- 
task environment is often interrupted by the exception. 
Normally, when the execution is interrupted, a state in 
the processor is saved on the memory, and then the 
original state is recovered at a time of restarting the ex- 
ecution of that program later on. In this way, it becomes 
possible to execute a plurality of programs in a quasi 
parallel manner and accept the interruption processing. 
This information on the state at a time of the interruption 
is called the context information, the context information 
contains information on registers used by the applica- 
tion, and in some cases, information on registers that 
are not explicitly used by the application is also con- 
tained in addition. 

[0163] In the conventional processor, when the inter- 
ruption occurs during the execution of some program, 



the control is shifted to the execution codes of the OS 
while the register state of the application is maintained, 
so that the OS can check the register state of that pro- 
gram to guess what instructions were executed, or alter 
5 the context information maintained in a plaintext form 
during the interruption so as to change the operation of 
the program after the restart of the execution of that pro- 
gram. 

[0164] In view of this fact, in this embodiment, when 

10 the interruption occurs during the execution of the pro- 
tected codes, the context of the execution immediately 
before that is encrypted and saved while all the applica- 
tion registers are either encrypted or initialized, and a 
signature made by the processor is attached to the con- 

15 text information. The signature is verified at a time of 
recovery from the interruption, to check whetherthe sig- 
nature is proper or not. When the improper signature is 
detected, the recovery is stopped so that the illegal al- 
teration of the context information by the user can be 

20 prevented. At this point, the encryption target registers 
are user registers 701 to 720 shown in Fig. 9. 
[0165] In the Pentium Pro architecture, there is a 
hardware mechanism for assisting the saving of the con- 
text information of the process into the memory and its 

25 recovery. A region for saving the state is called TSS 
(Task State Segment). In the following, an exemplary 
case of applying the present invention to this mecha- 
nism will be described: but the present invention is not 
limited to the Pentium Pro architecture, and equally ap- 

30 plicable to any processor architectures in general. 

[0166] The saving of the context information in con- 
junction with the exception occurrence takes place in the 
following case. When the exception occurs, an entry 
corresponding to the interruption cause is read out from 

35 a table called IDT (Interrupt Descriptive Table) for de- 
scribing the exception processing, and the processing 
described there is executed, When the entry indicates 
a TSS, the context information saved in the indicated 
TSS is recovered to the processor. On the other hand, 

40 the context information of the process that has been ex- 
ecuted up until then is saved in the TSS region specified 
by a task register 725 at that point. 
[0167] Using this automatic context saving mecha- 
nism, it is possible to save the entire state of the appli- 

45 cation including the program counter and the stack 
pointer, and detect any alteration at a time of the recov- 
ery by verifying the signature. However, when this au- 
tomatic context saving is used, apart from the fact that 
a large overhead will be caused by the context switch- 
so ing, there arises a problem that it is impossible to carry 
out the interruption processing without using the TSS. 
[0168] In order to reduce the overhead due to the in- 
terruption processing, or to maintain the compatibility 
with the existing programs, it is preferable not to use the 

55 automatic context saving mechanism, but in such a 
case, the program counter will be saved on the stack 
and cannot be a target of the verification, so that it can 
be a target of the alteration by the malicious OS. These 
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two cases should preferably used in their proper ways 
according to the purpose. For this reason, the micro- 
processor of this embodiment adopts the automatic con- 
text saving with respect to the protected (encrypted) ex- 
ecution codes as a result of attaching more importance 5 
to the safety. The registers to be automatically saved 
may not necessarily be all registers. 
[01 69] The context saving and recovery processing in 
this embodiment has the following three major features. 

(1) The contents of the saved context can be de- 
crypted only by the microprocessor that generated 
the context and a person who knows the encryption 
key Kcode of the program that generated the con- 
text. 

(2) In the case where the program protected by 
some execution code encryption key X is Interrupt- 
ed and its context Is saved, its restart processing 
cannot be applied to the restart of a non-protected 
program or a program encrypted by another execu- 
tion code encryption key Y. Namely, the program to 
be recovered from the interruption cannot be re- 
placed by another program at a time of the restart. 

(3) The recovery of the altered context is prohibited. 
Namely, if the saved context is altered, that context 
will not be recovered. 

[0170] By the above feature (1 ), it is possible to main- 
tain the safety of the context information while enabling 
the analysis of the context information by the program 
vendor. The fact that the program vendor has a right to 
analyze the context information is important in order to 
maintain the quality of the program by analyzing causes 
of any trouble that occurred according to a condition by 
which the program is used by the user. 
[0171] The above feature (2) is effective in preventing 
a situation where an attacker applies the context gener- 
ated by the execution of a program A to another encrypt- 
ed program B and restarts the program B from a known 
state saved in the context in order to analyze secrets of 
the data or the codes contained in the program B or alter 
the operation of the program B. This function is also a 
prerequisite for the data protection to be described be- 
low in which each one of a plurality of applications main- 
tains own encrypted data exclusively and independently 
from the others. 

[01 72] By the above feature (3), it is possible to strictly 
eliminate the alteration of the context information utiliz- 
ing an occasion of the restart of the program. 
[0173] The reason for providing such a function is that 
simply encrypting the context information according to 
the secret information of the processor can protect the 
context information from the alteration according to the 
intention of the attacker, but it is impossible to eliminate 
a possibility for the random alteration of the context that 
results in the restart of the program from a state with 
random errors. 

[0174] In the following, the context saving and verifi- 



cation method incorporating the above three features 
will be described in further detail. 

<Context saving processing> 

[01 75] Fig. 1 0 shows the context saving format in this 
embodiment conceptually. It is assumed that the inter- 
ruption due to the hardware or software related cause 
has occurred during the execution of the protected pro- 
gram. If the IDT entry corresponding to the interruption 
indicates a TSS, the execution state of the program up 
to that point is encrypted, and saved as the context in- 
formation in a TSS indicated by the current task register 
725 (rather than the indicated TSS itself). Then, the ex- 
ecution state saved in the TSS indicated by the IDT entry 
is recovered to the processor. If the IDT entry does not 
indicate a TSS, only the encryption or the initialization 
of the current registers is carried out, and the saving into 
the TSS does not takes place. Of course the restart of 
that program becomes impossible in that case. Note 
however that the system registers including a part of the 
flag registers and the task register are excluded from a 
target of the encryption or the initialization of the regis- 
ters for the sake of continuation of the OS operation. 
[0176] The contents of the context shown in Fig. 10 
are actually interleaved, encrypted in block units and 
stored in the memory. Here the information items to be 
saved will be described first. At a top, stack pointers and 
user registers 802 to 825 corresponding to respective 
privileged modes are provided, and one word 826 indi- 
cating a TSS size and the presence/absence of the en- 
cryption is placed next. This indicates whether the TSS 
in which the processor is saved is encrypted or not. Even 
in the case where the TSS is encrypted, this region will 
be maintained in a plaintext form without being encrypt- 
ed. 

[0177] After that, data encryption control register 
(CYO to CY3) regions 827 to 830 that are added for the 
purpose of the data protection are placed, and a padding 
831 for adjusting the size to the block length is placed. 
Finally, a value E K c 0 d e [Kr] 832 in which a key Kr used 
in encrypting the context is encrypted by the secret key 
algorithm using the execution code encryption key 
Kcode, a value E K p [Kr] 833 in which the key Kr used in 
encrypting the context is encrypted by using the public 
key Kp of the processor, and a signature S K s [message] 
834 using the secret key Ks of the processor with re- 
spect to them all are placed. Also, a region 801 for a link 
to the previous task that maintains a call up relationship 
among tasks is saved in a plaintext form in order to en- 
able the task scheduling by the OS. 
[0178] These execution code encryption and signa- 
ture generation are carried out by the context informa- 
tion encryption/decryption unit 254 in the exception 
processing unit 131 shown in Fig. 4, which is based on 
a function independent from the encryption of the 
processing target data of the execution codes. At a time 
of saving the context information in the TSS, even if 
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some encryption is specified in an address of the TSS 
by the other data encryption function, this specification 
is ignored and the context information is saved in a state 
in which the context is encrypted. This is because the 
encryption attributes of the data encryption function are 
specific to each protected (encrypted) program so that 
the restart of some program cannot depend on that func- 
tion. 

[0179] In encrypting the context, a word in the TSS 
size region 826 to be recorded in a plaintext form is re- 
placed to a value "0". Then, the interleaving similar to 
that explained with references to Figs. 7A and 73 is ap- 
plied , and the context is encrypted. At this point, the pad- 
ding 831 is set to a size that enables the appropriate 
interleaving in accordance with the encryption block 
size. 

[01 80] Here : the reason for not encrypting the register 
values directly by the public key Kp of the processor or 
the execution code encryption key Kcode is to enable 
the analysis of the encrypted context by both the pro- 
gram vendor and the processor while prohibiting the de- 
cryption of the context by the user. 
[0181] The program vendor knows the execution 
code encryption key Kcode so that the program vendor 
can obtain the encryption key Kr of the context by de- 
crypting E Kcode [Kr] 832 by using Kcode. Also, the mi- 
croprocessor 101 can obtain the encryption key Kr of 
the context by decrypting E K p [Kr] 833 by using the own 
secret key Ks. Namely, the program vendor can analyze 
the trouble by decrypting the context information without 
knowing the secret key of the microprocessor of the us- 
er, and the microprocessor 1 01 itself can restart the ex- 
ecution by decrypting the context information by using 
the own secret key Ks. The user who does not have ei- 
ther key cannot decrypt the saved context information. 
Also, the user who does not know the secret key Ks of 
the microprocessor 1 01 cannot forge the context infor- 
mation and the signature Sj< s [message] with respect to 
E K code[Kr]and E Kp [Kr]. 

[0182] In order to enable the mutually independent 
decryption of the context information by the program 
vendor and the microprocessor, it is also possible to 
consider a method for encrypting the context informa- 
tion directly by using Kcode. However, in the case where 
the register state is already known, there is a possibility 
for the known-plaintext attack against the execution 
code encryption key Kcode. Namely, when a value of 
the key for encrypting data is fixed, the following prob- 
lem arises. Consider the case of executing a program 
which reads a data input by the user and writes it into a 
working memory temporarily by encrypting it. The data 
that are to be encrypted and written into the working 
memory can be ascertained by monitoring the memory, 
so that the user can repeat the input many times by 
changing the input value and obtain the corresponding 
encrypted data. This implies that the chosen-plaintext 
attack of the cryptoanalysis theory is possible. 
[0183] The known-plaintext attack is not fatal to the 



secret key algorithm, but it is still preferable to avoid that. 
For this reason, a random number Kr is generated at a 
random number generation mechanism 252 of the ex- 
ception processing unit 1 31 at each occasion of the con- 

5 text saving, and supplied to the context information en- 
cryption/decryption unit 254. The context information 
encryption/decryption unit 254 encrypts the context by 
the secret key algorithm using the random number Kr. 
Then, the value E Kcode [Kr] 832 in which the random 

10 number Kr is encrypted by the same secret key algo- 
rithm using the execution code encryption key Kcode is 
attached. The value E K p [Kr] 833 is obtained by encrypt- 
ing the random number Kr by the public key algorithm 
using the public key Kp of the microprocessor. 

15 [01 84] Here, the random number is generated by the 
random number generation mechanism 252. In the case 
where the program is encrypted, normally there is no 
change in the program codes so that the corresponding 
plaintext codes cannot be acquired illegally as long as 

20 the operation is not analyzed. In this case, there is a 
need to cany out the "ciphertext-only attack" in order to 
cryptoanalyze, so that it is very difficult to find the en- 
cryption key. However, in the case where the data en- 
tered by the user are to be stored into the memory by 

25 encrypting them, the user can freely select the input da- 
ta. For this reason, it is possible for the user to make the 
"chosen-plaintext attack" against the encryption key 
which is far more effective than the "ciphertext-only at- 
tack". 

30 [0185] Against the chosen-plaintext attack, it is pos- 
sible to adopt a measure for enlarging the search space 
by adding a random number called "salt" into the plain- 
text to be protected. However, it is very tedious to im- 
plement the saving into the memory in a form where the 

35 "salt" random number is incorporated in every data at 
the application programming level, so that this can 
cause the lowering of the programming efficiency and 
performance. 

[0186] For this reason, the random number genera- 

40 tion mechanism 252 generates the random number (en- 
cryption key) for encrypting the context at each occasion 
of the context saving. As the encryption key can be se- 
lected arbitrarily, there is also an effect that the safe 
communications between processes or between proc- 

45 esses and devices can be realized faster. This is be- 
cause the speed for encrypting data by the hardware at 
a time of the memory access is far slower in general 
than the speed for encrypting data by the software. 
[01 87] On the contrary, if the value of the encryption 

50 key for the data region is limited to a prescribed value 
such as that identical to the execution code encryption 
key for example, then it becomes impossible to use the 
data encryption function of the processor for the other 
programs encrypted by the other encryption keys or the 

55 sharing of the encrypted data with the devices, so that 
it becomes impossible to take advantage of the fast 
hardware encryption function provided in the processor. 
[01 88] Note that the decryption of the encrypted ran- 
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dom number E K [Kr] 832 that takes place at a time 
of the restart and the generation of the signature 834 
can be based on any algorithm and secret information 
as long as a condition that they can be carried out only 
by the microprocessor 101 is satisfied. In the above ex- 
ample, the secret key Ks unique to the microprocessor 
101 (which is also used for the decryption of the execu- 
tion code encryption key Kcode) is used for both, but 
respectively different values may be used for these pur- 
poses. 

[01 89] Also, the saved context contains a flag indcat- 
ing the presence/absence of the encryption, so that the 
encrypted context information and the non-encrypted 
context information can coexist according to the need. 
The TSS size and the flag indicating the presence/ab- 
sence of the encryption are stored in a plaintext form so 
that it is easy to maintain the compatibility with respect 
to the past programs. 

< Processing for restarting the interrupted program> 

[0190] At a time of restarting the process by recover- 
ing the context, the OS issues a jump or call instruction 
with respect to a TSS descriptor indicating the saved 
TSS. 

[0191] Returning nowto Fig. 4, the execution code en- 
cryption key and signature verification unit 257 if the ex- 
ception processing unit 131 verifies the signature S Ks 
[message] 834 by using the secret key Ks of the proc- 
essor first, and sends the verification result to the ex- 
ception processing unit 255. In the case where the ver- 
ification result is failure, the exception processing unit 
255 stops the restart of the execution of the program, 
and causes the exception. By this verification, it is pos- 
sible to confirm that the context information is surely 
generated by the proper microprocessor 101 that has 
the secret key and not altered. 

[0192] When the verification of the signature suc- 
ceeds, the context information encryption/decryption 
unit 254 obtains the random number Kr by decrypting 
the context encryption key E Kp [Kr] 833 by using the 
secret key Ks. On the other hand, the execution code 
encryption key Kcode corresponding to the program 
counter (El P) 809 is taken out from the page table buffer 
230, and sent to the current code encryption key mem- 
ory unit 251 . The context information encryption/decryp- 
tion unit 254 decrypts E K [Kr] by using the execution 
code decryption key Kcode, and sends the result to the 
execution code encryption key and signature verifica- 
tion unit 257. The execution code encryption key and 
signature verification unit 257 verifies whether the de- 
cryption result of E K [Kr] 832 coincides with the de- 
cryption result of the microprocessor using the secret 
key Ks or not. By this verification, it is possible to confirm 
that this context information is generated by the execu- 
tion of the execution codes encrypted by using the se- 
cret key Kcode. 

[01 93] If this verification of the execution code encryp- 



tion key with respect to the context information is not 
carried out, it would become possible for the user to 
make an attack by producing codes encrypted by using 
any suitable secret key Ka and applies the context in- 

5 formation obtained by executing these codes to the 
codes encrypted by the other secret key Kb. The above 
verification eliminates a possibility of this attack and 
guarantees the safety of the context information for the 
protected codes. 

10 [0194] This object can also be achieved by adding a 
secret execution code encryption key Kcode to the con- 
text information, but in this embodiment, by the use of 
the value E K c 0 d e [Kr] in which a secret random number 
Kr used in encrypting the context information is encrypt- 

15 ed by using the execution code encryption key Kcode 
selected by the program vendor, it is possible to reduce 
the amount of memory required for saving the context 
information so as to achieve the effects of the fast con- 
text switching and the memory saving. This also enables 

20 the feedback of the context information to the program 
creator. 

[0195] Now, when the verification of the execution 
code encryption key and the verification of the signature 
by the execution code encryption key and signature ver- 

25 jfbation unit 257 both succeed, the context is recovered 
to the register file 253, and the program counter value 
is also recovered so that the control is returned to an 
address at a time of the execution interruption that 
caused to generate this context. 

30 [0196] When either one of these verifications fails so 
that the exception processing unit 255 causes the ex- 
ception to occur, an exception occurrence address indi- 
cates an address at which the jump or call instruction is 
issued. Also, a value indicating illegality of the TSS is 

35 stored into an interruption cause field in the IDT table, 
and an address of a jump target TSS is stored into a 
register that stores an address that is the cause of the 
interruption. In this way, the OS can learn the cause of 
the context switching failure. 

40 [0197] Note that, in order to realize the faster restart 
processing, it is also possible to use a configuration in 
which the supply of the execution state encrypted by the 
context information encryption/decryption unit 254 to 
the register file 253 and the verification processing by 

45 the execution code encryption key and signature verifi- 
cation unit 257 are carried out in parallel, and the sub- 
sequent processing is stopped when the verification 
fails. 

[0198] The safety of this encryption scheme using a 
so random number depends on the impossibility to predict 
a random number sequence used, and a method for 
generating by hardware a random number that is very 
hard to predict is disclosed in Onodera, et al., Japanese 
Patent No. 2980576. 
55 [01 99] The analysis of the context information by the 
program vendor is important in improving the quality of 
the program by analyzing the causes of any trouble in 
the program that occurred according to a condition by 
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which the program is used by the user In this embodi- 
ment in view of this fact, the above described scheme 
for realizing both the safety of the context and the capa- 
bility of the context information analysis by the program 
vendor is employed, but it is also true that the use of this 
scheme increases the overhead of the context saving. 
[0200] Moreover, the verification of the context infor- 
mation by using the signature made by the microproc- 
essor prevents the execution of the protected codes in 
the illegal context information by using a combination of 
arbitrarily selected value and encryption key, but this ad- 
ditional protection also increases the overhead. 
[0201] Consequently, in the case where there is no 
need for the capability of the context information analy- 
sis by the program vendor or a mechanism for eliminat- 
ing the program restart using the illegal context informa- 
tion, the context information containing information for 
identifying the execution code encryption key may be 
directly encrypted by using the secret key of the proc- 
essor. Even in such a case, it is still possible to make 
the intentional alteration of the context cryptograph ically 
impossible, and prevent the context information from 
being applied to a program encrypted by using a differ- 
ent encryption key. 

[0202] Here s the context saving format will be de- 
scribed further. Its relationship with the operation will be 
described later. 

[0203] In Fig. 10, an "R" bit 825-1 is a bit indicating 
whether the context is restartable or not. When this bit 
is set to "1 *\ the execution can be restarted by recover- 
ing the state saved in the context by the above described 
recovery procedure, whereas when this bit is set to "0", 
the restart cannot be made. This has an effect of pre- 
venting the restart of the context in which the illegality 
is detected during the execution of the encrypted pro- 
gram so as to limit the restartable contexts to only those 
in the proper states. 

[0204] A "U" bit 825-2 is a flag indicating whether the 
TSS is a user TSS or a system TSS. When this bit is set 
to "O", the saved TSS is the system TSS, and when this 
bit is setto '1 the saved TSS is the user TSS. The TSS 
that will be saved and recovered through the task 
switching accompanied by the change of the privilege 
from the exception entry as described above or through 
a task gate call up is the system TSS. 
[0205] The difference between the system TSS and 
the user TSS lies in whether a task register indicating a 
TSS saving location of the currently executed program 
is to be updated or not at a time of the recovery of the 
TSS. In the recovery of the system TSS, the task register 
of the currently executed program will be saved in the 
link to the previous task region 801 of the TSS to be 
newly recovered, and the segment selector of the new 
TSS will be read into the task register. On the other 
hand, in the recovery of the user TSS, the update of the 
task register value will not be carried out. The user TSS 
is aimed only at the saving and the recovery of the reg- 
ister state of the program so that it is not accompanied 



by the change of the privileged mode. 
[0206] The exception includes a software interrupt 
used for the system call up from the application pro- 
gram. In the case of the software interrupt for the pur- 

5 pose of the system call up, the general purpose register 
is often used for the parameter exchange, and there can 
be cases where the context information encryption can 
obstruct the parameter exchange. 
[0207] The software interrupt is generated by the ap- 

10 plication itself, so that it is possible for the application to 
destroy information of the registers that have secrets, 
prior to the generation of the software interrupt. Under 
the presumption of such conditions, it is possible to use 
a scheme in which the encryption of the registers is not 

15 carried out only in the case of the software interrupt. Of 
course, in such a case : the application program creator 
should take this fact into consideration and design the 
program such that the secrets of the program can be 
protected. 

20 [0208] Next, the suppression of the plaintext program 
debugging function will be described. 
[0209] The processor has a step execution function 
which causes the interruption whenever one instruction 
is executed, and a debugging function which causes the 

25 exception whenever a memory access with respect to a 
specific address is made. These functions may be use- 
ful for the development of programs but they can impair 
the safety of programs that are encrypted for the pur- 
pose of the secret protection. Consequently, in the mi- 

30 coprocessor of this embodiment, such debugging func- 
tions are suppressed during the execution of the en- 
crypted program. 

[0210] The instruction TLB 121 can judge whether the 
currently executed code is protected or not (encrypted 

35 or not). During the execution of the protected code, two 
debugging functions including a debug register function 
and a step execution function are prohibited in order to 
prevent an intrusion of the encrypted program analysis 
from a debug flag or a debug register. 

40 [0211] The debug register function is a function in 
which a memory access range and an access type such 
as reading/writing as the execution code or data are set 
in advance into a debug register provided in the proc- 
essor such that the interruption is caused whenever a 

43 corresponding memory access occurs. In this embodi- 
ment, during the execution of the protected code, the 
contents set in the debug register will be ignored so that 
the interruption for the purpose of the debugging will not 
occur. Note however that the case where a debug bit is 

so set in the page table is excluded from this rule. The de- 
bug bit in the page table will be described later. 
[021 2] During the execution of a non-protected (plain- 
text) code, the interruption will be caused whenever one 
instruction is executed if a step execution bit in an 

55 E FLAGS register of the processor is set, but during the 
execution of the protected code, this bit will also be ig- 
nored so that the interruption will not occur 
[0213] In this embodiment, in addition to the encryp- 
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tion of the execution codes for the purpose of preventing 
the analysis, these functions make the analysis of the 
program by the user difficult by preventing the dynamic 
analysis of the program using the debug register or the 
debug flag. 

<Data protection> 

[0214] Next, the protection of the processing target 
data of the execution codes will be described. 
[0215] In this embodiment, the encryption attributes 
for protecting data are defined in four registers CYO to 
CY3 that are provided inside the microprocessor 101. 
They correspond to regions 71 7 to 720 shown in Fig. 9. 
In Fig. 9, details of the registers CYO to CY2 are omitted, 
and only details of the register CY3 are shown. 
[0216] Elements of the encryption attribute will now 
be described by taking the CY3 register 71 7 as an ex- 
ample. Upper bits of the logical address indicating a top 
of the region to be encrypted are specified in a base ad- 
dress 717-1 . The size of the region is specified in a size 
region 71 7-4. A size is specified in units of the cache 
line so that there is an invalid portion at the lower bits. 
A data encryption key is specified in a region 717-5. 
Here the secret key algorithm is used so that the region 
71 7-5 is also used for the decryption key, When a value 
of the encryption key is specified as u 0", it implies that 
the region indicated by that register is not encrypted. 
[0217] Among the specifications of the regions, CYO 
is given the highest priority, and CY1 to CY3 are given 
sequentially lower priorities in this order. For example, 
When the regions specified by CYO and CY1 overlap, 
the attributes of CYO are given the priority over those of 
CY1 in that region. Also, the definition of the page table 
is given the highest priority in the case of a memory ac- 
cess as the execution code rather than as the process- 
ing target data. 

[021 8] A debug bit 71 7-4 is used in selecting whether 
the data operation in the debugging state is to be carried 
out in an encrypted state or in a plaintext state. Details 
of the debug bit will be described later. 
[0219] Fig. 12 shows the information flow in the en- 
cryption/decryption of the processing target data of the 
execution codes. Here, the data protection is made only 
in the state where the code is protected, that is the code 
is executed In an encrypted state. Note however that the 
case where the code is executed in the debugging state 
to be described below will be excluded from this rule. 
When the code is protected, the contents of the data 
encryption control registers (which will be also referred 
to as the encryption attribute registers or the data pro- 
tection attribute registers) CYO to CY3 are read from the 
register file 253 shown in Fig. 4 to a data encryption key 
table 236 provided inside the data TLB 141 . 
[0220] When some instruction writes data into a logi- 
cal address "Addr", the data TLB 141 judges whether 
the logical address "Addr" is contained in ranges of CYO 
to CY3 or not by checking the data encryption key table 



236 (see Fig. I). As a result of the judgement, if the en- 
cryption attribute is specified, the data TLB 141 com- 
mands the code encryption function 212 to encrypt the 
memory content by the specified encryption key at a 
time of the memory writing of a corresponding cache line 
from the L1 data cache 218 to the memory. 
[0221] Similarly, in the case of reading, if the target 
address has the encryption attribute, the data TLB 141 
commands the data decryption function 219 to decrypt 
the data by the specified encryption key at a time of the 
reading of a cache line out to the corresponding L1 data 
cache 218. 

[0222] In this embodiment, the data encryption at- 
tributes are protected from the illegal rewriting including 
the privilege of the OS by placing all the data encryption 
attributes for the data encryption in the registers inside 
the microprocessor 1 01 and saving the contents of the 
registers at a time of the execution interruption as the 
context information in a safe form into a memory (the 
main memory 281 of Fig. 4, for example) external of the 
microprocessor 101. 

[0223] The data encryption/decryption is carried out 
in units of the cache line that is interleaved as described 
above in relation to the context encryption. For this rea- 
son, even when one bit of the data on the L1 cache 114 
is rewritten, the other bits in the cache line will be rewrit- 
ten on the memory. The execution of the data reading/ 
writing is carried out collectively in units of the cache 
line, so that the increase of the overhead is not so large, 
but it should be noted that the reading/writing with re- 
spect to the encrypted memory regions cannot be car- 
ried out in units less than or equal to the cache line size. 
[0224] In the above, the method for protecting the da- 
ta by encryption in this embodiment has been described. 
By this method, on the main memory, it is possible to 
process the encrypted data by encrypting them inside 
the processor by using the encryption key and the mem- 
ory range specified by the application program, and 
read/write them as plaintext data from a viewpoint of the 
application. 

[0225] Next, two mechanisms for preventing reading 
of the data stored in a plaintext form in the cache mem- 
ory inside the processor by a program other than the 
encrypted programs that has read these data (which will 
be referred to as the other program) will be described. 
[0226] First, the program is identified by its encryption 
key. This identification is made by using a key object 
identifier used at a time of decrypting the currently exe- 
cuted instruction inside the processor. Here, a value of 
the key itself may be used for this identification, but a 
value of the execution code decryption key has a rather 
large size of 1 024 bits before the decryption or of 1 28 
bits after the decryption which would require an increase 
of the hardware size, so that the key object identifier 
which has a total length of only 10 bits is used. 
[0227] The L1 instruction cache 21 3 in which the de- 
crypted execution codes are to be stored has an at- 
tribute memories in correspondences to the cache lines. 
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When the decrypted execution codes are stored into the 
L1 instruction cache 21 3 by the code decryption function 
212, the key object identifier is written into the attribute 
memory. 

[0228] Also, in the case of reading the encrypted data 
from the memory and decrypting it, the contents of the 
data protection attribute registers CYO to CY3 are read 
out from the register file 253 to a protection table man- 
agement function 233 of the data TLB 141 . At this point, 
the key object identifier corresponding to the currently 
executed instruction is also read from the current code 
encryption key memory unit 251 at the same time and 
maintained in the protection table management function 
233. 

[0229] Similarly as in the case of the instruction 
cache, the data cache 218 has attribute memories in 
correspondence to the cache lines. When the data read 
out from the memory is decrypted by the data decryption 
function 219 and stored into the L1 data cache 21 8, the 
key object identifier is written into the attribute memory 
from the protection table management function 233. 
[0230] When some instruction is executed and the da- 
ta referring is carried out, the key object identifier written 
in the attribute of the data cache and the key object of 
that instruction in the instruction cache are compared by 
the secret protection violation detection unit 256. If they 
do not coincide, the exception of the secret protection 
violation occurs and the data referring fails. In the case 
where the attribute of the data cache indicates a plain- 
text, the data referring always succeeds. 
[0231 ] Note that, when the attributes of the instruction 
and the data do not coincide, instead of causing the ex- 
ception, it is also possible to discard the content of this 
data cache and re-read the data from the memory once 
again. 

[0232] For example, consider program-1 and pro- 
gram-2 for which the execution code encryption key as 
well as the data protection attribute registers CYO to 
CY3 are different. If the encrypted data referred and writ- 
ten into the cache by the program-1 is to be referred by 
the program-2, the program-2 will read out a different 
data. This operation is in accord with the purpose of pro- 
tecting secrets. 

[0233] If two programs have the same data encryption 
key and data at the same address are referred by them, 
the same data will be read so that this data can be 
shared between them. 

[0234] In this way, in this embodiment, data generated 
by some program-1 can be protected from being re- 
ferred by another program-2 by providing a function for 
maintaining attributes of the instruction to be executed 
and the data indicating programs to which they originally 
belong, and comparing the attributes to see if they co- 
incide or not at a time of the data referring due to the 
instruction execution. 



<Entry gate> 

[0235] In this embodiment, the cases where the con- 
trol can be shifted from the non-protected code to the 
5 protected code are limited only to the following two cas- 
es: 

(1) the case where the context encrypted by using 
the execution code encryption key (that is, thecon- 

10 text having a random number) that coincides with a 
restart address is to be restarted; and 

(2) the case where the control is shifted from a non- 
protected code to an entry gate instruction ("egate" 
instruction) of the protected code, by the execution 

15 of the consecutive codes or by a jump or call instruc- 
tion. 

[0236] This limitation is placed in order to prevent an 
attacker from obtaining information on code fragments 

20 by executing the code from arbitrary position. The pro- 
cedure for the above (1) has already been described in 
relation to the context recovery. Namely, the control is 
shifted to the execution of the protected code only when 
it is verified that the context information matching with 

25 the execution code encryption key of the code that was 
executed immediately before the interruption is con- 
tained, and that the proper signature given by the mi- 
croprocessor 101 is attached. 

[0237] The above (2) is a processing for prohibiting a 
30 transition to the execution of the protected code unless 
a special instruction called entry gate ("egate") instruc- 
tion is executed at the beginning of the control in the 
case of shifting the control from the non-protected code 
to the protected code. 
35 [0238] Fig. 1 1 shows a procedure for switching a pro- 
tection domain based on the entry gate instruction. The 
microprocessor 1 01 is maintaining the encryption key of 
the currently executed code in the current code encryp- 
tion key memory unit 251 (see Fig. 4) of the exception 
40 processing unit 1 31 . First, whether the value of this key 
is changed in conjunction with the execution of the in- 
struction or not is judged (step 601), When the change 
of the key value is detected (step 601 NO), whether the 
instruction executed in conjunction with the change is 
45 an entry gate ("egate") instruction or not is checked next 
(step S602). If it is the entry gate instruction, it implies 
that it is a proper instruction so that the control can be 
shifted to the changed code. Consequently, when it is 
judged as an entry gate instruction (step 602 YES), this 
so instruction is executed. 

[0239] On the other hand, when it is judged as not an 
entry gate instruction (step 602 NO), it implies that the 
interrupted instruction is an improper instruction. In this 
case, whether the instruction that was executed imme- 
55 diately previously is an encrypted (protected) instruction 
or not is judged (step 603). If it is a non-protected in- 
struction, the exception processing can take place di- 
rectly, but if it is a protected instruction, there is a need 
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to carry out the exception processing while protecting 
that instruction. 

[0240] Consequently, when it is judged as a non-pro- 
tected instruction (step 603 NO), the exception process- 
ing is carried out directly, whereas when it is judged as 5 
a protected instruction (step 6003 YES), the non-restart- 
abte exception processing is carried out while maintain- 
ing the protected state. 

[0241] By this limitation of the control shifting, the di- 
rect shifting of the control from a plaintext code to ». cor** 
at a location other than that of the entry gate instruction 
is prohibited. The context recovery implies the recovery 
of the state that was already executed once by that pro- 
gram through the entry gate. Consequently, the execu- 
tion of the protected program must pass through the en- 
try gate. By suppressing locations for placing the entry 
gate to the minimum necessary number in the program, 
there is an effect of preventing an attack for guessing a 
program structure by executing the program from vari- 
ous addresses. 

[0242] Also, at this entry gate, the initialization of the 
data protection attribute registers is carried out. When 
the entry gate is executed, a random number Kr is load- 
ed into a key region (a region 71 7-5 in CY3) of the data 
protection attribute registers CYO to CY3 71 7 to 720 
shown in Fig. 9 The encryption target top address is set 
to "0", the size is set to an upper limit of the memory, 
and the entire logical address space is set as the en- 
cryption target. If the debug attribute is not set in the 
execution code, the debug bit (717-3 in CY3) is set as 
non-debugging. 

[0243] In other words, at a timing of the encryption 
code execution start, all the memory accesses are en- 
crypted by using the random number Kr determined at 
a time of the entry gate execution. Also, in the execution 
code encryption control, the definition in the page table 
is given a higher priority as already mentioned above. 
This random number Kr is generated independently 
from the random number used in the context encryption. 
[0244] By this mechanism, a protected program to be 
newly executed is set to be always encrypted by using 
a key determined randomly at a time of the start of all 
the memory accesses. 

[0245] Of course, in this state the entire memory re- 
gion is encrypted so that it is impossible to give param- 
eters of the system call through the memory or ex- 
change data with the other programs. For this reason, 
the program carries out the processing by sequentially 
adjusting its own processing environment by setting the 
data protection attribute registers such that the neces- 
sary memory region can be converted into plaintext so 
that it becomes accessible. By leaving the register CY3 
with a lowest priority in the initial setting of being en- 
crypted by using the random number, while setting the 
encryption key °0" as the plaintext access setting for the 
other registers, it is possible to reduce a risk of access- 
ing an unnecessary region as a plaintext and writing da- 
ta to be kept in secret by encryption out to a plaintext 



region by error. 

[0246] The contents of the registers other than the da- 
ta protection attribute registers are not encrypted even 
in the initialization at the entry gate, and pointers for 
specifying locations of stacks or parameters can be 
stored therein. However, cares should be taken in the 
processing of the program to be executed through the 
entry gate so that secrets of the program will not be sto- 
len by calling up the entry gate by setting illegal values 
into the registers. 

[0247] It is also possible to use a configuration for in- 
itializing all the registers other than the flags and the pro- 
gram counter, including the general purpose registers 
other than the data protection attribute registers, at the 
entry gate in the case of attaching more importance to 
the safety, even though this provision makes the pro- 
gramming more restricted and the efficiency poorer. 
Even in this case, the parameters such as stacks can 
be exchanged through a memory region specified by a 
relative address or an absolute address of the program 
counter. Note however that, similarly as in the case of 
the context saving, the system registers including a part 
of the flag registers and the task register are excluded 
from a target of the encryption or the initialization of the 
registers for the sake of continuation of the OS opera- 
tion. 

[0248] In this way, in the microprocessor 101 of this 
embodiment, the fragmental execution of the protected 
code, especially the illegal setting of the data protection 
state, is prevented, as the first instruction to be executed 
at a time of shifting the control from the program in the 
plaintext state to the protected program is limited to the 
entry gate instruction and the registers including the da- 
ta protection attribute registers are initialized by the ex- 
ecution of the entry gate instruction. 
[0249] Next, the execution control of the protected 
program will be described. First, the call up and the 
branching that are closed within the protection domain 
will be described, The call up within the protection do- 
main is exactly the same as that for the usual programs. 
Fig. 13 shows the call up and the branching within the 
protection domain conceptually 
[0250] The execution of the code 1101 in the protec- 
tion domain is started as a thread 1121 outside the pro- 
tection domain is branched into an "egate" (entry gate) 
instruction of the protection domain. By the execution of 
the "egate" instruction, all the registers are initialized, 
and then the data protection attributes are set up se- 
quentially by the execution of the program. The control 
is shifted to a branch target M xxx" 1111 in the protection 
domain by a "jmp xxx" instruction (processing 1122), 
and a "call yyy" instruction located at an address u ppp" 
1112 is executed (processing 1123). The calling source 
address "ppp° 1 1 1 2 is pushed into a stack memory 1 1 02 , 
and the control is shifted to a call target "yyy 1 * 1113. 
When the processing at the call target is completed and 
a "ret" instruction is executed, the control is shifted to a 
return address "ppp" 1112 in the stack. There is no lim- 
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itation on the execution control while the execution code 
encryption key remains the same. 
[0251 ] Next, the call up and the branching from a pro- 
tection domain to a no n -protection domain will be de- 
scribed. For this control shifting, the execution of a spe- 
cial instruction and the operation of the user TSS to be 
described below will be carried out in order to avoid a 
shifting from aprotection domain to a no n -protection do- 
main that is not intended by the program creator and to 
protect the data protection state. 
[0252] Fig. 14 shows the cell up and the branching 
from a protection domain to a non-protected domain 
conceptually, where an execution code 1201 of the pro- 
tection domain and an execution code 1202 of the non- 
protection domain are placed in respective domains. Al- 
so, a user TSS region 1203 and a region 1204 for ex- 
changing parameters with the non-protection domain 
are provided. 

[0253] The execution begins when a thread 1221 ex- 
ecutes the "egate" instruction. The program of the pro- 
tection domain saves the address of the user TSS re- 
gion 1 203 in a prescribed parameter region 1 204 before 
calling up the code of the non -protection domain. Then, 
the code of the non-protection domain is called up by 
executing the "ecall" instruction. The "ecall" instruction 
takes two operands. One is a call target address, and 
the other is a saving target of the execution state. The 
"ecall" instruction saves the register state at a time of 
the call up (or more accurately the register state when 
the program counter is in a state after the "ecall" instruc- 
tion is issued) into a region specified by the operand 
"uTSS", in a format similar to that in the case of the en- 
crypted TSS described above. In the following, this re- 
gion will be referred to as a user TSS. 
[0254] The difference between the user TSS and the 
system TSS lies in that, in the user register shown in 
Fig. 10, a U flag is set in a region 825-2 on the TSS. The 
difference in the operation will be described later. In the 
saving of the user TSS into the memory, the data pro- 
tection attributes defined in the data protection attribute 
registers CYO to CY3 by the user are not applied, sim- 
ilarly as in the case of the saving of the context informa- 
tion into the system TSS. 

[0255] The call target code of the non-protection do- 
main cannot exchange parameters because the regis- 
ters are initialized by the execution of the "ecall" instruc- 
tion. For this reason, the parameters are acquired from 
a prescribed address "param" 1204, and the necessary 
processing is carried out. There is no limitation on the 
programming in the non-protection domain. In the ex- 
ample of Fig. 14, a sub-routine "qqq" 1213 is called up 
(processing 1225). The call up from the protection do- 
main can be adapted to the cad up semantics of the sub- 
routine B qqq u by placing an adaptor code for copying 
stack pointer setting and the parameters to the stack, 
between "exx" and the call up of "qqq", for example. The 
processing result is sent to the calling source through 
the parameter region 1204 on the memory (processing 



1226). When 'he processing of the sub-routine is com- 
pleted, a "sret instruction is issued in order to return the 
control to the calling source protection domain (process- 
ing 1227). 

s [0256] The "sret" instruction takes one operand for 
specifying the user TSS, unlike the "ret" instruction that 
has no operand. Here, the user TSS 1203 is specified 
indirectly as the recovery information through a pointer 
stored in the parameter region "param" 1204. The re- 

10 covery of the user TSS by the "sret" instruction largely 
differs from the recovery of the system TSS in that the 
task register is not affected at all even when the user 
TSS is recovered. The task link field of the user TSS will 
be ignored. The recovery will fail when the system TSS 

15 with the U flag 825-2 set to "0" is specified in the operand 
of the "sret" instruction. 

[0257] At a time of the execution of the recovery, the 
decryption of the execution state and the verification of 
the execution code encryption key and the signature al- 

20 ready described above are carried out, and when the 
violation is detected, the exception of the secret protec- 
tion violation will occur. When the verification succeeds, 
the execution is restarted from an instruction next to the 
calling source "ecall" instruction. This address is en- 

25 crypted and signed in the user TSS, so that it is crypto- 
graphically impossible to forge this address. All the reg- 
isters except for the program counter will be set back to 
the state before the call up, so that the code of the pro- 
tection domain acquires the execution result of the sub- 

30 routine "exx" from the parameter region 1204. 

[0258] At a time of shifting the control to the non-pro- 
tection domain afterthe processing of the protection do- 
main is completed, an "ejmp" instruction is used. The 
"ejmp" instruction does not carry out the saving of the 

35 state, unlike the "ecall" instruction. If the control is shift- 
ed from the protection domain to the non-protection do- 
main by the instruction other than "ecall" and "ejmp", 
such as "jmp" or "call", the exception of the secret pro- 
tection violation occurs and the encrypted context infor- 

40 mation is saved in the TSS region (a region indicated by 
the task register) of the system. Note that the context 
information will be marked as non-restartable at this 
point. Note also that specifying an address in the pro- 
tection domain as a jumping target of the "ejmp" instruc- 

45 tion does not cause the violation. 

[0259] This completes the description of a procedure 
for call up from the protection domain to the non-protec- 
tion domain and newly added instructions used in that 
procedure. 

so [0260] At a time of the recovery of the user TSS by 
the application, an attack for substituting the user TSS 
by the OS which has privileges is not entirely impossible. 
However, the interchangeable TSS information in such 
a case is only the context information whose execution 

55 is always started through the "egate" and which is saved 
by the saving of the execution state caused by the in- 
terruption or by the user explicitly, as long as the exe- 
cution code encryption key of the protection domain is 
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managed correctly. A possibility for the leakage of the 
secrets of the application due to the interchange of this 
context information is quite small, and it is quite difficult 
for an attacker to guess what kind of the context infor- 
mation interchange is necessary in acquiring the secrets s 
of the application. 

[0261] The procedure for call up from the protection 
domain to the n on -protection domain described above 
is also applicable to a procedure for shifting the control 
between the protection domains, if the instruction to be io 
executed first at the call target is the "egate" instruction 
of the calling source side. 

[0262] In this case, the call up between the protection 
domains can be carried out safely by encrypting the re- 
gion for exchanging parameters between these protec- '5 
tion domains, by using an encryption key that is shared 
by carrying out the authentication key exchange be- 
tween these protection domains in advance. 
[0263] As described, according to the microprocessor 
of the present invention, it becomes possible to prevent 20 
the illegal analysis by the OS or a third party by protect- 
ing both the execution codes and the processing target 
data of the execution codes by using the encryption, un- 
der the multi-task environment. 

[0264] Also, it becomes possible to prevent the illegal 25 
rewriting of the encryption attributes in the case of sav- 
ing the encrypted data. 

[0265] Also, it becomes possible to protect the en- 
crypted data from illegal attacks by using arbitrary ran- 
dom number Kr rather than a fixed key as the encryption 30 
key for the processing target data. 
[0266] Also, it becomes possible to carry out the de- 
bugging in the plaintext state, and when errors are 
found, a feedback on the errors can be provided to the 
program vendor who knows the execution code encryp- 35 
tion key. 

[0267] Also, it becomes possible to prevent an in- 
crease of the memories in the microprocessor and sup- 
press the cost of the microprocessor by saving informa- 
tion that required the secret protection such as the en- 40 
cryption attribute information on an external memory by 
attaching a signature of the microprocessor, reading on- 
ly the necessary portion into the registers inside the mi- 
croprocessor, and carrying out the verification of the sig- 
nature at a time of reading. In this scheme, the safety 45 
against the substitution at a time of the reading can also 
be guaranteed. 

[0268] It is also to be noted that, besides those al- 
ready mentioned above, many modifications and varia- 
tions of the above embodiments may be made without so 
departing from the novel and advantageous features of 
the present invention. Accordingly, all such modifica- 
tions and variations are intended to be included within 
the scope of the appended claims. 



Claims 

1. A microprocessor having a unique secret key and 
a unique public key corresponding to the unique se- 
cret key that cannot be read out to external, com- 
prising: 

a reading unit configured to read out a plurality 
of programs encrypted by using different exe- 
cution code encryption keys from an external 
memory; 

a decryption unit configured to decrypt the plu- 
rality of programs read out by the reading unit 
by using respective decryption keys; 
an execution unit configured to execute the plu- 
rality of programs decrypted by the decryption 
unit; 

a context information saving unit configured to 
save a context information for one program 
whose execution is to be interrupted, into the 
external memory or a context information mem- 
ory provided inside the microprocesor, the con- 
text information containing information indicat- 
ing an execution state of the one program and 
the execution code encryption key of the one 
program; and 

a restart unit configured to restart an execution 
of the one program by reading out the context 
information from the external memory or the 
context information memory, and recovering 
the execution state of the one program from the 
context information. 

2. The microprocessor of claim 1 , wherein the context 
information saving unit is configured to encrypt the 
context information by using the public key, and to 
save an encrypted context information into the ex- 
ternal memory; and 

the restart unit is configured to restart the ex- 
ecution of the one program by reading out the en- 
crypted context information from the external mem- 
ory, decrypting the encrypted context information by 
using the secret key, and recovering the execution 
state of the one program from a decrypted context 
information. 

3. The microprocessor of claim 2, wherein the restart 
unit restarts the execution of the one program only 
when a decrypted execution code encryption key 
contained in the decrypted context information co- 
incides with the execution code encryption key of 
the one program. 

4. The microprocessor of claim 2, wherein the restart 
unit uses a decrypted execution code encryption 
key contained in the decrypted context information 
as a decryption key for decrypting the one program. 
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5. The microprocessor of claim 1 , 2, 3 or 4, wherein 
the context information saving unit is configured to 
save the context information in a plaintext form into 
the context information memory which is not read- 
able by another program which is executed after the 
one program is interrupted; and 

the restart unit is configured to restart an ex- 
ecution of the one program by reading out the con- 
text information from the context information mem- 
ory, and recovering the execution state of tr .-3 one 
program from the context information. 



6. The microprocessor of claim 5, wherein the restart 
unit restarts the execution of the one program in re- 
sponse to an execution of a prescribed instruction 
by the another program. 

7. The microprocessor of daim 5 or 6, wherein the 
context information saving unit saves the context in- 
formation into the context information memory at a 
time of interrupting the execution of the one pro- 
gram, and encrypts the context information in the 
context information memory by using the public key 
and stores the encrypted context information into 
the external memory in response to an execution of 
another prescribed instruction by the another pro- 
gram. 

8. The microprocessor of claim 5, wherein the context 
information saving unit saves the context informa- 
tion into the context information memory at a time 
of interrupting the execution of the one program, 
and encrypts the context information in the context 
information memory by using the public key and 
stores the encrypted context information into an ad- 
dress on the external memory that is specified by 
the another program. 

9. The microprocessor of claim 1 , wherein the context 
information saving unit is configured to generate a 
random number as a temporary key, to encrypt the 
context information, and to save an encrypted con- 
text information into the external memory, the en- 
crypted context information containing a first value 
obtained by encrypting information indicating the 
execution state of the one program by using the 
temporary key and a second value obtained by en- 
crypting the temporary key by using the public key; 
and 

the restart unit is configured to restart the ex- 
ecution of the one program by reading out the en- 
crypted context information from the external mem- 
ory, decrypting the temporary key from the second 
value contained in the encrypted context informa- 
tion by using the secret key, decrypting the informa- 
tion indicating the execution state from the first val- 
ue contained in the encrypted context information 
by using a decrypted temporary key, and recovering 



the execution state of the one program from a de- 
crypted context information. 

10. The microprocessor of daim 9, wherein the context 
5 information saving unit saves the encrypted context 
information that also contains athird value obtained 
by encrypting the temporary key by using the exe- 
cution code encryption key of the one program. 

10 11 . The microprocessor of claim 1 0, wherein the restart 
unit decrypts a first temporary key from the second 
value contained in the encrypted context informa- 
tion by using the secret key and decrypts the infor- 
mation indicating the execution state from the first 
is value contained in the encrypted context informa- 
tion by using the first decrypted temporary key, 
while decrypting a second temporary key from the 
third value contained in the encrypted context infor- 
mation by using the execution code encryption key 
20 of the one program, and restarts the execution of 
the one program only when the first decrypted tem- 
porary key coincides with the second decrypted 
temporary key. 

25 1 2. The microprocessor according to any one of claims 
1-11, further comprising: 

an execution state memory unit for storing an 
execution state of a currently executed pro- 
gram; and 

an execution state initialization unit configured 
to initialize a content of the execution state 
memory unit to a prescribed value or encrypts 
the content of the execution state memory unit, 
before an execution of another program starts 
after the one program is interrupted. 
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13. The microprocessor according to any one of claims 
1-12, further comprising: 

a key reading unit configured to read out the 
execution code encryption key of each program 
that is encrypted by using the public key in ad- 
vance, from the external memory; and 
a key decryption unit configured to decrypt the 
execution code encryption key read out by the 
key reading unit, by using the secret key; 
wherein the decryption unit decrypts each pro- 
gram by using the execution code encryption 
key as a decryption key. 

14. The microprocessor according to any one of claims 
1-13, further comprising: 

an execution state memory unit for storing an 
execution state of a currently executed pro- 
gram and an encryption attributes for data to be 
processed by the currently executed program; 
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and 

a data encryption unit configured to encrypt the 
data to be processed by the currently executed 
program according to the encryption attributes 
stored in the execution state memory unit. 

1 5. The microprocessor according to any one of ciaims 
1-14, further comprising: 

an execution state memory unit for storing an 
execution state of a currently executed pro- 
gram, encryption attributes for data to be proc- 
essed by the currently executed program, and 
an encryption attribute specifying information 
for specifying the encryption attributes; 
a related information writing unit configured to 
write a related information related to the en- 
cryption attribute specifying information and 
containing a signature obtained by using the 
secret key, into the external memory; 
a related information reading unit configured to 
read out the related information from the exter- 
nal memory according to an address of a data 
to be referred by the currently executed pro- 
gram; 

a data referring permission unit configured to 
verify the signature contained in the related in- 
formation by using the public key, and to permit 
a data referring by the currently executed pro- 
gram by determining an encryption key and an 
algorithm to be used for the data referring ac- 
cording to the related information and the en- 
cryption attribute specifying information, only 
when the signature contained in the related in- 
formation coincides with an original signature 
of the microprocessor; and 
a data encryption unit configured to encrypt the 
data to be referred by the currently executed 
program according to the encryption attributes 
stored in the execution state memory unit. 

16. The microprocessor according to any one of claims 
1-15, further comprising: 

a cache memory for caching plaintext instruc- 
tions and plaintext data for the plurality of pro- 
grams in units of cache lines, the cache mem- 
ory having an attribute area for each cache line 
indicating a decryption key identifier for unique- 
ly identifying a decryption key used in decrypt- 
ing each program whose instructions are 
cached in each cache line or each program 
whose execution has caused caching of the 
plaintext data in each cache line; 
a cache access control unit configured to permit 
a data referring caused by an execution of one 
cached program stored in one cache line with 
respect to one cached data in another cache 



line, only when the decryption key identifier in- 
dicated by the encryption attribute for the one 
cache line coincides with the decryption key 
identifier indicated by the encryption attribute 
s for the another cache line. 

17. The microprocessor of claim 16, wherein when the 
data referring is not permitted, new data are cached 
into the another cache line from the external mem- 

10 ory. 

18. The microprocessor of claim 1 6, wherein when the 
data referring is not,permitted, an execution of the 
one cached program is interrupted by a protection 

is exception. 

19. The microprocessor according to any one of claims 
1-18, wherein the execution unit also executes 
plaintext programs, and has a debugging function 
for causing an exception when an execution of a 
program at a specific address or address region or 
a data referring to a data at the specific address or 
address region occurs during an execution of a 
plaintext program, the debugging function being in- 
validated during an execution of an encrypted pro- 
gram. 

20. The microprocessor according to any one of claims 
1-19, wherein constituent elements of the micro- 
processor are contained in a single chip or a single 
package. 
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